Automattic / jetpack

Security, performance, marketing, and design tools — Jetpack is made by WordPress experts to make WP sites safer and faster, and help you grow your traffic.
https://jetpack.com/
Other
1.59k stars 798 forks source link

Issue with caching searches and exploits #25494

Open michdud opened 5 years ago

michdud commented 5 years ago

Hi there! I've got (I think) an issue similar to Automattic/wp-super-cache#655–people are testing exploits in our search bar, which then get cached. This would be fine (assuming the exploits don't work), except our hosting service takes down the site every time a search with suspected malware is cached.

The file is /home/tks/webapps/wpresdesign/wp-content/cache/meta/wp-cache-2fab3455e9ea525690ede99e18bbed32.php and the contents of the file are:

<?php die(); ?>{"headers":{"Vary":"Vary: Cookie","Last-Modified":"Last-Modified: Sat, 30 Mar 2019 04:21:58 GMT","Content-Type":"Content-Type: text\/html; charset=\"UTF-8\""},"uri":"www.theknoxstudent.com\/\/?s=index\/\\think\\template\\driver\\file\/write&cacheFile=robots1.php&content=xbshell?php%20@eval$_POST[admin];?","blog_id":"1","post":0,"key":"www.theknoxstudent.com80\/\/?s=index\/\\think\\template\\driver\\file\/write&cacheFile=robots1.php&content=xbshell<?php%20@eval($_POST[admin]);?>"}

To prevent the plugin from caching searches, would I include 's=' in the list of pages to exclude from caching? Or is there some other way to remove searches from the cache?

We should be using the latest version of this plugin.

(Also please do let me know if my assumptions are wrong about what's going on in this file, I'm not super familiar with PHP.)

michdud commented 5 years ago

Ok, this was much easier to figure out once I had access to the dashboard of my site again.

There's a setting on the dashboard under Settings -> WP Super Cache that allows you to turn off caching for search pages (discussion of how search pages are found is here).

Screen Shot 2019-04-03 at 10 15 49 AM
michdud commented 5 years ago

I updated the settings as shown above, but the plugin still seems to still be caching search pages (e.g. /home/tks/webapps/wpresdesign/wp-content/cache/blogs/?s=index/meta/wp-cache-?s=index03ba1b26718027012006f2ca32a09308.php) . Is there any reason this should still be the case? Is there a way to fix this?