Free Fire online.Makakuha ng libreng 700pho sa bawat deposito

Resolved

(@c0ntr07)

I was absolutely shocked that a security plugin is making such a basic security 101 error (not to mention being out of compliance with NIST 800-63-3, ISO27000, CIS, HIPAA, GDPR, ….)

How can I stop the logging of clear text passwords?

In aiowps_audit_log in the stacktrace column you can find something like this:

a:10:{i:0;a:6:{s:4:"file";s:56:"/home/SERVER-LOGIN/public_html/wp-includes/class-wp-hook.php";s:4:"line";i:308;s:8:"function";s:12:"record_event";s:5:"class";s:33:"AIOWPSecurity_Audit_Event_Handler";s:4:"type";s:2:"->";s:4:"args";a:4:{i:0;s:16:"successful_login";i:1;a:1:{s:16:"successful_login";a:1:{s:8:"username";s:10:"ADMINUSER";}}i:2;s:4:"info";i:3;s:10:"ADMINUSER";}}i:1;a:6:{s:4:"file";s:56:"/home/SERVER-LOGIN/public_html/wp-includes/class-wp-hook.php";s:4:"line";i:332;s:8:"function";s:13:"apply_filters";s:5:"class";s:7:"WP_Hook";s:4:"type";s:2:"->";s:4:"args";a:2:{i:0;s:0:"";i:1;a:4:{i:0;s:16:"successful_login";i:1;a:1:{s:16:"successful_login";a:1:{s:8:"username";s:10:"ADMINUSER";}}i:2;s:4:"info";i:3;s:10:"ADMINUSER";}}}i:2;a:6:{s:4:"file";s:49:"/home/SERVER-LOGIN/public_html/wp-includes/plugin.php";s:4:"line";i:517;s:8:"function";s:9:"do_action";s:5:"class";s:7:"WP_Hook";s:4:"type";s:2:"->";s:4:"args";a:1:{i:0;s:0:"";}}i:3;a:4:{s:4:"file";s:118:"/home/SERVER-LOGIN/public_html/wp-content/plugins/all-in-one-wp-security-and-firewall/classes/wp-security-audit-events.php";s:4:"line";i:464;s:8:"function";s:9:"do_action";s:4:"args";a:5:{i:0;s:19:"aiowps_record_event";i:1;s:16:"successful_login";i:2;a:1:{s:16:"successful_login";a:1:{s:8:"username";s:10:"ADMINUSER";}}i:3;s:4:"info";i:4;s:10:"ADMINUSER";}}i:4;a:6:{s:4:"file";s:116:"/home/SERVER-LOGIN/public_html/wp-content/plugins/all-in-one-wp-security-and-firewall/classes/wp-security-user-login.php";s:4:"line";i:185;s:8:"function";s:22:"event_successful_login";s:5:"class";s:26:"AIOWPSecurity_Audit_Events";s:4:"type";s:2:"::";s:4:"args";a:1:{i:0;s:10:"ADMINUSER";}}i:5;a:6:{s:4:"file";s:56:"/home/SERVER-LOGIN/public_html/wp-includes/class-wp-hook.php";s:4:"line";i:308;s:8:"function";s:17:"post_authenticate";s:5:"class";s:24:"AIOWPSecurity_User_Login";s:4:"type";s:2:"->";s:4:"args";a:1:{i:0;s:7:"WP_User";}}i:6;a:6:{s:4:"file";s:49:"/home/SERVER-LOGIN/public_html/wp-includes/plugin.php";s:4:"line";i:205;s:8:"function";s:13:"apply_filters";s:5:"class";s:7:"WP_Hook";s:4:"type";s:2:"->";s:4:"args";a:1:{i:0;s:7:"WP_User";}}i:7;a:4:{s:4:"file";s:52:"/home/SERVER-LOGIN/public_html/wp-includes/pluggable.php";s:4:"line";i:616;s:8:"function";s:13:"apply_filters";s:4:"args";a:4:{i:0;s:12:"authenticate";i:1;N;i:2;s:10:"ADMINUSER";i:3;s:16:"ADMIN_PASSWORD_IN_CLEARTEXT";}}i:8;a:4:{s:4:"file";s:47:"/home/SERVER-LOGIN/public_html/wp-includes/user.php";s:4:"line";i:106;s:8:"function";s:15:"wp_authenticate";s:4:"args";a:2:{i:0;s:10:"ADMINUSER";i:1;s:16:"ADMIN_PASSWORD_IN_CLEARTEXT";}}i:9;a:4:{s:4:"file";s:39:"/home/SERVER-LOGIN/public_html/wp-login.php";s:4:"line";i:1241;s:8:"function";s:9:"wp_signon";s:4:"args";a:1:{i:0;s:0:"";}}}

How can this be fixed so we don’t fail the upcoming security review and audit by our third-party compliance auditors?

Viewing 15 replies - 1 through 15 (of 19 total)

1 2 →

Plugin Support aporter
(@aporter)

1 year, 8 months ago

Hi,

This is a known bug in the last release.

This copy of the zip contains the fix and clears the previous logs.

https://gofile.io/d/GsplaK

This will be available in the next release which should be released soon.

Best Wishes,

Ashley

Thread Starter c0ntr07
(@c0ntr07)

1 year, 8 months ago

Why isn’t this being a critical vulnerability and immediately being pushed?

This is a HUGE issue. Anyone, like a contractor, has access to the username and passwords of all other site admins.

Furthermore, as our pentesting has documented, contractor and site designers have very poor password practices. Our contract’s credentials are the same one’s they use on ALL OF THEIR OTHER CLIENT SITES (and their Gmail and Facebook).

Plugin Support aporter
(@aporter)

1 year, 8 months ago

Hi,

This is a top priority, a fix was made as soon as it was first reported.

I’ve provided a development copy to you so that you can resolve this issue on your site as soon as possible.

We are still working through internal testing before making an official release.

Best Wishes,

Ashley

Thread Starter c0ntr07
(@c0ntr07)

1 year, 8 months ago

Thank you so much for the development copy. Unfortunately it didn’t work and threw an UNCAUGHT ERROR error where AIOS_HELPER couldn’t be found requiring a site restoration from back up.

Plugin Support aporter
(@aporter)

1 year, 8 months ago

Hi,

Could you send the exact error message please so I can look into that.

Can I also ask how you installed the plugin?

Best Wishes,

Ashley

Thread Starter c0ntr07
(@c0ntr07)

1 year, 8 months ago

I have a screenshot of the error message. How can I post it here?

Plugin Support aporter
(@aporter)

1 year, 8 months ago

Hi,

You can upload it to a service like Dropbox or some other image sharing service and then post the link here.

Best Wishes,

Ashley

Thread Starter c0ntr07
(@c0ntr07)

1 year, 8 months ago

https://www.dropbox.com/scl/fi/pjg0rlfoiu4v7h25t1qd2/Screen-Shot-2023-06-24-at-2.34.34-PM-clean.png?dl=0&rlkey=ch0lfgkbw8h2prb2ypf9xlbpb

Plugin Support aporter
(@aporter)

1 year, 8 months ago

Hi,

Thanks for the screenshot.

The error in the screenshot is coming from a call in the premium version of the plugin.

I’m unable to reproduce it on my side.

What version of the premium plugin do you have?

Best Wishes,

Ashley
Thread Starter c0ntr07
(@c0ntr07)

1 year, 8 months ago
- Version: 5.1.9
- Last Updated:?1 month ago
Plugin Support aporter
(@aporter)

1 year, 8 months ago

Hi,

Sorry about the delay.

We have not been able to reproduce this internally.

How did you install the zip? I’m wondering if WordPress timed out and left you with a partial install.

Best Wishes,

Ashley

Thread Starter c0ntr07
(@c0ntr07)

1 year, 8 months ago

Any update on when the fix will be officially published? We really need this critical vulnerability fixed and the logs purged.

Plugin Support aporter
(@aporter)

1 year, 8 months ago

Hi,

The final release is ready I’m just waiting for the plugin owner to come online and push the next release.

Will update you as soon as that happens.

Best Wishes,

Ashley

Plugin Support aporter
(@aporter)

1 year, 8 months ago

Hi,

AIOS v5.2.0 has now been released.

It includes the fix to prevent saving these details and also clears out old entries.

Best Wishes,

Ashley

Thread Starter c0ntr07
(@c0ntr07)

1 year, 8 months ago

The update just took down my site.

Fatal error: Uncaught Error: Call to a member function log_debug() on null in /home/xwjqg932/public_html/wp-content/plugins/all-in-one-wp-security-and-firewall-premium/classes/aiowps-premium-base-tasks.php:337 Stack trace: #0 /home/xwjqg932/public_html/wp-content/plugins/all-in-one-wp-security-and-firewall-premium/classes/aiowps-cb-country-tasks.php(106): AIOWPS_Premium_Base_Tasks->get_country_code_from_ip(‘107.77.223.161’) #1 /home/xwjqg932/public_html/wp-content/plugins/all-in-one-wp-security-and-firewall-premium/classes/aiowps-cb-country-tasks.php(31): AIOWPS_Country_Tasks->is_blocked() #2 /home/xwjqg932/public_html/wp-content/plugins/all-in-one-wp-security-and-firewall-premium/classes/aiowp-cb-general-init-tasks.php(27): AIOWPS_Country_Tasks->perform_country_check() #3 /home/xwjqg932/public_html/wp-content/plugins/all-in-one-wp-security-and-firewall-premium/classes/aiowp-cb-general-init-tasks.php(13): AIOWPS_CB_General_Init_Tasks->do_country_blocking_general_tasks() #4 /home/xwjqg932/public_html/wp-content/plugins/all in /home/xwjqg932/public_html/wp-content/plugins/all-in-one-wp-security-and-firewall-premium/classes/aiowps-premium-base-tasks.php on line 337

There has been a critical error on this website.

Viewing 15 replies - 1 through 15 (of 19 total)

1 2 →

The topic ‘Cleartext passwords written to aiowps_audit_log’ is closed to new replies.