BPS Pro-Tools 404 error

Home Forums BulletProof Security Pro BPS Pro-Tools 404 error

Tagged: ,

Viewing 9 posts - 16 through 24 (of 24 total)
1 2
  • Author
    Posts
  • April 2, 2013 at 8:53 am #3691
    AITpro Admin
    Keymaster

    This is actually the same issue/problem and does not have anything to do with a php.ini file.  Your web host just needs to whitelist the tools.php file on this particular site.  The issue/problem is that your Host has a security scanner that is seeing the standard php functions regarding base64 encoding/decoding/deflating and inflating php functions in that file as malicious.

    April 2, 2013 at 9:08 am #3692
    Paul D.
    Participant

    Got it all mixed up with another issue I posted in the forum regarding php.ini.. my bad. I apologize.

    If they (webhost tech support) “whitelisted” the file, how come that after clone deployment to the same domain it reverted to the old problem (404 error and wrong path to the BPS Pro-Tools) ?

    This is not an issue with BPS-Pro, yes ? And an issue with webhost settings/whitelisting/scanner ?
    Thank you for the great support for this plugin.
    Paul

    April 2, 2013 at 9:18 am #3694
    AITpro Admin
    Keymaster

    Logically what they must have done was to create an exclude/exception rule in their Server security scanner for only the literal path to the other website instead of doing something like creating an exclude/exception rule in their Server security scanner for all of your websites under your hosting account.  😉  I guess the best thing to do would be to ask them to create an exclude/exception rule for your entire hosting account based on the hosting account root folder name.  They can do this safely by also explicitly whitelisting the tools.php file ONLY.

    April 2, 2013 at 9:22 am #3698
    Paul D.
    Participant

    Okay.. I will try to inform them of that and will post developments in this thread soon.

    Thanks.

    April 2, 2013 at 9:26 am #3699
    AITpro Admin
    Keymaster

    Please ask them what Server Scanner software they are using so it can be documented here.  Thank you.

    April 4, 2013 at 7:49 pm #3806
    Paul D.
    Participant

    Sadly, webhost won’t tell us their scanner and won’t exclude tools.php. Tech said :

    I have investigated the automated malware scanner logs and am not seeing tools.php to be classed as malware and quarantined therefore making exception rules is unnecessary for this file. I have added the only trouble file within the account accountnamehere to the whitelist/exclude list.

    Unfortunately we cannot guarantee that our malware scanners will not pick up newly created files of this type, if the file has any signs of eval(base64_decode in PHP, it will be classed as malware automatically, for example, as it is the most popular kind of ‘infection’/code injection around the web currently.

    Oh well.

    April 4, 2013 at 10:08 pm #3815
    AITpro Admin
    Keymaster

    The tech is saying that tools.php was not seen as malicious, but it is obviously seen as malicious by their scanner.  Yeah, no big deal really.  Pro-Tools is not essential and is just a collection of extra tools that most people would not ever use anyway.  I use several of them regularly, but the average person would not really need any of them.

    BPS Pro does not use the php eval “function”, but it does reference this very dangerous language construct “function” in text only (display or help files text) and not the actual eval “function” itself.  The php base64_decode and base64_encode functions are standard safe php functions, but eval is definitely not really safe to use.  In any case, a lot of scanners just look for base64_decode, which is completely understandable since hackers commonly use this php function in their hacking scripts.

    Source:  http://php.net/manual/en/function.eval.php

    The eval() language construct is very dangerous because it allows execution of arbitrary PHP code. Its use thus is discouraged. If you have carefully verified that there is no other option than to use this construct, pay special attention not to pass any user provided data into it without properly validating it beforehand.

    April 4, 2013 at 10:25 pm #3823
    AITpro Admin
    Keymaster

    The only tab pages that contain the base64_decode and base64_encode functions are for the Base 64 Decoder and Encoder Tools so if you want I can send you a Pro-Tools page with the code removed from those 2 tab pages.  Or if you are comfortable with doing yourself then you would just open the tools.php file with a code editor or Notepad++ and then delete the code for those 2 tabs.

    <div id="bps-tabs-1">
    delete everything after the div above to the closing div tag
    </div>

    <div id="bps-tabs-2">
    delete everything after the div above to the closing div tag
    </div>

    April 4, 2013 at 10:31 pm #3824
    Paul D.
    Participant

    It’s okay.. I may not be even using that Pro Tool .. so I think we are good without those advanced tools in BPS Pro.

    Thanks for the support.. and you can consider this thread closed.

  • Author
    Posts
Viewing 9 posts - 16 through 24 (of 24 total)
1 2
  • You must be logged in to reply to this topic.