Skip to content

Instantly share code, notes, and snippets.

JustThomas

Block or report user

Report or block JustThomas

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@JustThomas
JustThomas / nginx_remove_double_slashes.md
Created Feb 4, 2018
nginx: Remove double slashes from URLs
View nginx_remove_double_slashes.md

Put the following directives in your server block. nginx will then redirect URLs with double (or triple or multiple) slashes to the corresponding URL with a single slash.

merge_slashes off;
rewrite ^(.*?)//+(.*?)$ $1/$2 permanent;
@JustThomas
JustThomas / sqli_wp_user_control.md
Last active Jan 30, 2019
SQL injection vulnerability in WordPress "User Control" plugin
View sqli_wp_user_control.md

SQL Injection vulnerability in WordPress "User Control" plugin

The User Control plugin gives administrators the possibility to disable user accounts in WordPress. Users whose accounts have been disabled cannot sign in to WordPress anymore. Unfortunately, the plugin has some serious vulnerabilites which anyone can use to perform SQL queries on the WordPress SQL database.

The plugin has been removed from the official WordPress plugin repository. If this plugin is installed on your WordPress installation, you should remove it ASAP.

Vulnerable code

The plugin contains the following code which is executed on every pageload:

@JustThomas
JustThomas / resolve_wordpress_mu_domains.sh
Last active Feb 25, 2017
Resolve all domains from a CSV export of the wp_domain_mapping database table
View resolve_wordpress_mu_domains.sh
#!/bin/bash
INPUT=wp_domain_mapping.csv
OLDIFS=$IFS
IFS=,
[ ! -f $INPUT ] && { echo "$INPUT file not found"; exit 99; }
while read domainid siteid domain active
do
domain=${domain//\"} # Remove quotes
domainid=${domainid//\"} # Remove quotes
ip=`dig +short $domain | tail -n 1` # Resolve domain name
@JustThomas
JustThomas / wordpress-multisite-internal-redirect-loop.md
Last active Jun 4, 2019
WordPress Multisite: How to fix error "too many redirects"
View wordpress-multisite-internal-redirect-loop.md

WordPress Multisite: How to fix error "Request exceeded the limit of 10 internal redirects"

I am running a WordPress multisite network with sub-directory setup. When I check my error.log file, it is full of entries like this one:

Request exceeded the limit of 10 internal redirects due to probable configuration error. Use 'Limit InternalRecursion' to increase the limit if necessary. Use 'LogLevel debug' to get a backtrace.

The problem was, in my case, one specific rewrite rule in the .htaccess file.

Problem description

View keybase.md

Keybase proof

I hereby claim:

  • I am justthomas on github.
  • I am justthomas (https://keybase.io/justthomas) on keybase.
  • I have a public key whose fingerprint is BD76 69E9 D631 C156 DDB3 832F D815 E4AD 5C9A E6D9

To claim this, I am signing this object:

@JustThomas
JustThomas / wordpress_https_workaround.php
Last active Aug 29, 2015
Workaround for redirects with WordPress HTTPS and WordPress MU Domain Mapping
View wordpress_https_workaround.php
<?php
/*
Plugin Name: Workaround for HTTPS with Domain Mapping
Description: Disables redirect from MU Domain Mapping Plugin on SSL-secured pages
Author: Thomas Ulrich
Author URI: https://github.com/JustThomas
Version: 0.1
*/
function tu_wordpress_https_workaround() {
You can’t perform that action at this time.