Fixing Crayon Syntax Highlighting plugin

Posted on June 2, 2019

I use the Crayon syntax highlighting plugin in order to display code on this blog. Recently I upgrade my server to PHP 7.3, which broke a fair few things, including this plugin.

Unfortunately, it looks like this plugin is no longer being maintained – the latest stable release was three years ago, and the latest commit on their GitHub was over a year ago.

Never fear, open source is here!

If you’re using the stable version, open up crayon_langs.class.php and change crayon_langs.class.php:340 from this:

preg_replace('/[^\w-+#]/msi', '', $id);

To this:

preg_replace('/[^\w\-+#]/msi', '', $id);

Notice the escaping before the - character.

Should work now.

Blocking no-referrer script kiddie login attempts

Posted on September 17, 2015

Marcus Povey

Ok, so here’s a quicky.

Like anyone who runs a wordpress site, I get numerous attempts from script kiddies attempting to guess the login. The vast majority of these are handled by fail2ban, but I’ve noticed an increase in the distributed kind of attack – multiple attempts to log in, but all from different IPs.

These fell below the ban threshold, so were getting through. Since strength in depth is good, and I wanted quiet logs, I thought I’d do something about this.

On inspection, it looked like the scripts aren’t terribly smart, in that they just make a POST to wp-login.php without first loading the login form, meaning they attempted to POST without setting a referrer. So, I wrote a rewrite rule that will block POST attempts to wp-login.php that have no referrer set.

This is by no means foolproof, the referrer can be easily faked, but it raises the bar slightly for them.

Blocking the scripts

Place the following in your .htaccess file, or http.conf for your wordpress site:

RewriteEngine On

RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} /wp-login\.php
RewriteCond %{HTTP_REFERER} ^$
RewriteRule .* - [F,L]

What this does is block all POST requests to wp-login.php that have an empty referrer, returning a 403 error when this occurs.

It’s very simple, and easy to work around, but seems to block most script kiddies.

Testing

To test, use curl; the following should fail:

curl -d 'test' https://example.com/wp-login.php

But this will return some content:

curl -d 'test' --referer foo.bar https://example.com/wp-login.php

Blocking access to wp-config.php with modsecurity

Posted on June 25, 2015

Marcus Povey

Just a quick one…. I noticed in my webserver logs, a whole bunch of directory walk “script kiddie” exploit attempts to various wordpress sites on my server, attempting to retrieve my wordpress configuration file: wp-config.php.

A directory walk attack is where someone will attempt to use a download feature of some plugin or other in attempt to trick it to retrieve a different file, by passing ../ before the file name. E.g.

GET /wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php

None of these exploits was successful, since this is an obvious approach which should be sanitised out of inputs, but part of having a secure system is the concept of strength in depth and every programmer makes mistakes.

So, I knocked together a quick modsecurity rule:

SecRule ARGS "(\.\.\/)+wp-config.php"\
  "phase:1,log,deny,status:503,msg:'Attempt to download wp-config.php via the GET line'"

Which seems to shut this one exploit down. HTH 🙂

Marcus Povey

Time, Space, and Plexiglas

Tag Archives: wordpress

Fixing Crayon Syntax Highlighting plugin

Blocking access to wp-config.php with modsecurity