I use the Crayon syntax highlighting plugin in order to display code on this blog. Recently I upgrade my server to PHP 7.3, which broke a fair few things, including this plugin.

Unfortunately, it looks like this plugin is no longer being maintained – the latest stable release was three years ago, and the latest commit on their GitHub was over a year ago.

Never fear, open source is here!

If you’re using the stable version, open up crayon_langs.class.php and change crayon_langs.class.php:340 from this:

preg_replace('/[^\w-+#]/msi', '', $id);

To this:

preg_replace('/[^\w\-+#]/msi', '', $id);

Notice the escaping before the - character.

Should work now.

Just a quick one…. I noticed in my webserver logs, a whole bunch of directory walk “script kiddie” exploit attempts to various wordpress sites on my server, attempting to retrieve my wordpress configuration file: wp-config.php.

A directory walk attack is where someone will attempt to use a download feature of some plugin or other in attempt to trick it to retrieve a different file, by passing ../ before the file name. E.g.

GET /wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php

None of these exploits was successful, since this is an obvious approach which should be sanitised out of inputs, but part of having a secure system is the concept of strength in depth and every programmer makes mistakes.

So, I knocked together a quick modsecurity rule:

SecRule ARGS "(\.\.\/)+wp-config.php"\
  "phase:1,log,deny,status:503,msg:'Attempt to download wp-config.php via the GET line'"

Which seems to shut this one exploit down. HTH 🙂