Category: "Security"

WordPress 2.5 Image File Upload Errors

In addition to b2evolution, I have WordPress 2.5 blogs, which were extremely easy to upgrade through Fantastico.

There were two issues that were causing image uploads to fail.

Here are links to the two solutions that worked for me, with thanks to the authors.

http://www.hongkiat.com/blog/wordpress-25-image-upload-error-wordpress-fix/

http://www.northfieldweb.com/wordpress/?p=36

Version Hiding for Server and Application Security

One of the easiest ways to make a server or application more secure it to reduce the publicly accessible information.

The above link describes how the versions can be suppressed in the HTTP headers to make it more difficult for people to identify the version of server software you are running, and the version of PHP.

This same principle should be used with applications. Any tag in the HTML that exposes the version should be suppressed.

md5('just_a_test')

With sincere thanks to the associated URL, this is .htaccess code that can be used with b2evolution to deny access to requestors who include http: or ftp: on the query string. This is slightly different than the other post - it seems to be working. [L,F] didn’t work as I would have liked.

.htaccess


RewriteEngine On
RewriteCond %{QUERY_STRING} ^.*=(ht|f)tp\://.*$ [NC]
RewriteRule ^.*$  403.php [L]


# CATCH EVERYTHING INTO B2EVO:
# The following will allow you to have URL right off the site root,
# using index.php as a stub but not showing it.
# This will add support for URLs like:  http://example.com/2006/08/29/post-title
# Redirect anything that's not an existing directory or file to index.php
#
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^.*$ index.php [L]

403.php


header('HTTP/1.1 403 Forbidden');

I hope this is helpful.

curl

This is the second half of the prior post - how to find out what version of PHP are running on your server. Use curl with the -I (uppercase i) option, followed by the domain name to get the HTTP headers. There are many options you can use with curl, and the server can be configured to suppress some of this information for improved security - so if you don’t get the results you need, refer to the man pages and try again.

HTTP/1.1 200 OK
Date: Fri, 21 Mar 2008 23:11:07 GMT
Server: Apache/1.3.41 (Unix) mod_jk/1.2.23 mod_deflate/1.0.21 mod_fastcgi/2.4.2 PHP/5.2.3 mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 PHP/4.4.8 FrontPage/5.0.2.2634a mod_ssl/2.8.31 OpenSSL/0.9.7a
X-Powered-By: PHP/4.4.8
Content-Type: text/html

Another approach is to create one file, ver.php, and link to it called ver.php5. It should contain the following:

echo phpversion();

Request both URLs through a browser to see what version is used to deliver them.

Great SSL Explanation

This is a great explanation of how to do SSL certificates.

http://dertompson.com/index.php/2007/02/10/requiring-a-client-certificate/