wp-content/plugins/gauntlet-security/admin/includes/classes/gus_FilePermissions.php
“php.spam-seo.injector_gen.007”
]]>Overall this is a great plugin, but I have one small criticism: your recommended fix to prevent code execution for uploaded files won’t work under common default Apache/PHP configurations.
Your recommended fix allows requests only for files ending with certain whitelisted extensions:
Order deny,allow
Deny from all
<Files ~ ".(jpe?g|png|gif|mp3|wav|ogg|m4a|mp4|mov|wmv|avi|mpg|ogv|3gp|3g2|pdf|docx?|pptx?|ppsx?|odt|xlsx?|zip)$">
Allow from all
</Files>The problem is that Apache out of the box processes *multiple* file extensions and passes off execution to any handlers registered for them. (The default Apache PHP config also allows execution for multiple file extensions.)
So, even with the above directive in place, PHP code in a file called “evil.php.png” will still execute under common default configurations.
(See https://httpd.apache.org/docs/2.2/mod/mod_mime.html#multipleext)
The solution is probably something like this (I haven’t tested it):
<Files *>
SetHandler default-handler
</Files>as described here: https://stackoverflow.com/questions/18932756/disable-all-cgi-php-perl-for-a-directory-using-htaccess
]]>My latest finding in field of WP security is
Unknown admin-ajax and admin-post action
See Revolution Slider vulnerability.
You could check for this. I do not know yet how.
The protection is as follows:
// Unknown admin-ajax and admin-post action
add_action( 'all', array( $this, 'gs_all_action' ), 0 );
function gs_all_action( $tag ) {
global $wp_filter;
if ( ( 'admin_post_' === substr( $tag, 0, 11 )
|| 'wp_ajax_' === substr( $tag, 0, 8 ) )
&& ! isset( $wp_filter[ $tag ] )
) {
// trigger mod_security, fail2ban, nginx naxsi etc.
// Helps learning attack internals
error_log( 'HTTP REQUEST: ' . addslashes( serialize( $_REQUEST ) ) );
ob_get_level() && ob_end_clean();
header( 'Status: 403 Forbidden' );
header( 'HTTP/1.0 403 Forbidden' );
exit();
}
}Actually .git is a file, I added wordpress as a submodule
stat /home/olm/website/html/olm/.git
File:/home/olm/website/html/olm/.git’
Size: 40 Blocks: 8 IO Block: 4096 regular file
Device: fe00h/65024d Inode: 630380 Links: 1
Access: (0644/-rw-r–r–) Uid: ( 1002/ olm) Gid: ( 1002/ olm)
Access: 2015-07-02 03:25:11.000000000 +0200
Modify: 2015-07-01 16:26:40.000000000 +0200
Change: 2015-07-02 03:24:35.000000000 +0200
Birth: –
There is an openbasedir warning with debug on.
<b>Warning</b>: is_file(): open_basedir restriction in effect. File(/home/olm/website/html/olm/.git/HEAD) is not within the allowed path(s): (/home/olm/website/) in <b>/home/olm/website/html/content/plugins/gauntlet-security/admin/includes/classes/gus_StrayFiles.php</b> on line <b>493</b>
{“test_id”:”gus_StrayFiles”,”class”:”pass”,”title”:”No stray files could be found that are accessible and could be useful to attackers” ….
`
Hi, great feedback from this plugin’s scan. A few questions:
1. WP says default permissions for htaccess and wp-config are 644 default and 604/600 “secured”. I’m using W3 Total Cache that updates htaccess and and added my own bot blocking statements, wp hardening, etc. What’s the recommended permissions that won’t cause issues with plugins or other reasons?
2. Is there a Gauntlit cache? I added your log file block and disabled directory indexing in my htaccess (copied your code and pasted it) and it still shows they are issues with subsequent scans for those items?
]]>echo "This file may be deleted" >
into
echo "This file may be deleted" >
Please remove the admin/tmp dir.
]]>This is the strictest test for PHP I’ve ever seen:
https://github.com/sektioneins/pcc
Please consider copying some of its checks.
]]>I think the WP Codex is outdated on this topic.
The lang pack are url += '/langs/' + lang + '_dlg.js';, no PHP.
Only wp-includes/ms-files.php and wp-includes/js/tinymce/wp-mce-help.php contain reference to wp-load.php, so no other PHP file should be called directly.
I suggest to exclude only these two and block the whole wp-includes dir in the htaccess example.
When detecting plugin status newer plugins also get:
“Needs an update”
Please handle downgrades.
– one may develop plugins
– one may add a “1” in the front of plugin version to keep it from updating – because of modification in the plugin code
return $user->ID == 1;
This checks only the LAST user in array_reduce().
if(array_reduce( get_users(), array( $this, 'is_one_callback' ), false ))
...
return ( $carry || $user->ID == 1 );Please be advised that default salt strings are translated
define('AUTH_KEY', 'írj ide valami nagyon bonyolultat');
define('SECURE_AUTH_KEY', 'írj ide valami nagyon bonyolultat');
define('LOGGED_IN_KEY', 'írj ide valami nagyon bonyolultat');
define('NONCE_KEY', 'írj ide valami nagyon bonyolultat');
define('AUTH_SALT', 'írj ide valami nagyon bonyolultat');
define('SECURE_AUTH_SALT', 'írj ide valami nagyon bonyolultat');
define('LOGGED_IN_SALT', 'írj ide valami nagyon bonyolultat');
define('NONCE_SALT', 'írj ide valami nagyon bonyolultat');A)
Please check whether they are equal.
B)
Check the amount of signs and numbers in them.
Based on real world attacks:
'access',
'admin',
'administrator',
'backup',
'blog',
'business',
'contact',
'data',
'demo',
'doctor',
'guest',
'info',
'information',
'internet',
'master',
'number',
'office',
'pass',
'password',
'postmaster',
'public',
'root',
'sales',
'server',
'service',
'test',
'user',
'username',
'webmaster'Thank you for including my fixes.
Could you add this in the newxt release to enable e.g. nginx?
// under "if( isset($is_nginx) && $is_nginx )"
if ( defined( 'GUS_FORCED_ENABLE' ) && GUS_FORCED_ENABLE )
{
$pass_reqs = true;
}With the Gauntlet Security plugin 1.1.1, when I first visit /wp-admin/admin.php?page=gauntlet-security, I see some bare PHP:
Files
message): ?> class=’toggle has_icon_lg’> message): ?> Make sure your server is not vulnerable to the Shellshock Bash bug message): ?>
message): ?> class=’toggle has_icon_lg’> message): ?> Set correct file and directory permissions message): ?>
message): ?> class=’toggle has_icon_lg’> message): ?> Turn off directory indexing message): ?>
message): ?> class=’toggle has_icon_lg’> message): ?> Prevent code execution in the uploads directory message): ?>
message): ?> class=’toggle has_icon_lg’> message): ?> Block files in the includes directory message): ?>
message): ?> class=’toggle has_icon_lg’> message): ?> Rename or move the content directory message): ?>
PHP
message): ?> class=’toggle has_icon_lg’> message): ?> Disable dangerous PHP functions message): ?>
message): ?> class=’toggle has_icon_lg’> message): ?> Disable allow_url_include and allow_url_fopen PHP flags message): ?>
Database
message): ?> class=’toggle has_icon_lg’> message): ?> Use a strong database password message): ?>
message): ?> class=’toggle has_icon_lg’> message): ?> Change the default database table prefix message): ?>
… and so forth.
When I click “Scan Now”, these are replaced with the correctly-styled text (red, yellow, or green).
]]>I installed the plugin, but when I go to /wp-admin/tools.php?page=gauntlet-security, I get an error in my Apache log:
[Mon Sep 29 09:50:40 2014] [error] [client xxx.xxx.xxx.xxx] PHP Warning: require_once(/Users/xxx/Sites/wp-content/plugins/gauntlet-security/admin/includes/classes/gus_Shellshock.php): failed to open stream: No such file or directory in /Users/xxx/Sites/wp-content/plugins/gauntlet-security/admin/includes/classes/gus_TestRunner.php on line 69, referer: https://www.xxx.com/wp-admin/tools.php?page=gauntlet-security
[Mon Sep 29 09:50:40 2014] [error] [client xxx.xxx.xxx.xxx] PHP Fatal error: require_once(): Failed opening required ‘/Users/xxx/Sites/wp-content/plugins/gauntlet-security/admin/includes/classes/gus_Shellshock.php’ (include_path=’.:’) in /Users/xxx/Sites/wp-content/plugins/gauntlet-security/admin/includes/classes/gus_TestRunner.php on line 69, referer: https://www.xxx.com/wp-admin/tools.php?page=gauntlet-security
Does this script perform the analysis within the installation or is information sent to any other service or party?
]]>