Major security flaw.

  • Resolved junkgrave

    (@junkgrave)


    8 years, 6 months ago

    Your latest update lets hackers hack as much as they want:

    Aug 20 20:39:32 liveserver wordpress(website.com)[26041]: Authentication attempt for unknown user admin from 195.206.253.146
Aug 20 20:39:32 liveserver wordpress(website.com)[26048]: Authentication attempt for unknown user admin from 195.206.253.146
Aug 20 20:39:33 liveserver wordpress(website.com)[26110]: Authentication attempt for unknown user admin from 195.206.253.146
Aug 20 20:39:34 liveserver wordpress(website.com)[26047]: Authentication attempt for unknown user admin from 195.206.253.146
Aug 20 20:39:35 liveserver wordpress(website.com)[26011]: Authentication attempt for unknown user admin from 195.206.253.146

    Neither of your jails/filters (soft or hard) even contain the appropriate regexp:
    ^%(__prefix_line)sAuthentication attempt for unknown user .* from <HOST>$

    Unless you’ve grown a soft spot in your heart for hackers, let’s add the appropriate regexp back to one of the jails. ??

    https://www.ads-software.com/plugins/wp-fail2ban/

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Author invisnet

    (@invisnet)

    Thanks for the bug report – fixed in 3.5.3, available a few minutes ago.

    Just a few points:

    It took me longer to cut through the sarcasm and work out what the problem was than to fix it. Thanks for that.

    The hyperbole in the title was wonderful, too. Yes, it’s annoying that it didn’t match unknown users and yes, that’s a bug, but they’d still have been banned when they got the password wrong for a known user.

    Lastly, had this actually been a security problem, a post on a public forum hardly qualifies as responsible disclosure.

    Thanks again for the bug report.

    Thread Starter junkgrave

    (@junkgrave)

    Thanks for the quick fix.

    I don’t understand – how is me explicitly giving you the regexp and telling you that it’s missing from both the hard and soft filters “sarcasm” that you have to “cut through”? And how is this not a major security flaw when it lets people brute force username attempts until they find valid usernames, which is a huge advantage?

    You even closed this issue that someone opened over a week ago that shows the bug in action as well:
    https://www.ads-software.com/support/topic/working-with-232-and-not-vith-351

    …without actually addressing the bug. The bug reporter even posted the existing jail’s regexps, and highlighted the fact that they get 0 matches on the failed attempts that they showed in their auth logs.

    If you’re referring to my little jib at the end about the soft spot in your heart, that was obviously a joke, hence the playful tone and the smiley face. But your veiled threats of ramifications for irresponsible disclosure are not jokes.

    Misunderstandings aside, the plugin is great and much needed in today’s world, and I really appreciate it.

    Plugin Author invisnet

    (@invisnet)

    In order:

    Compare and contrast your report to this one. I read your post as sarcasm; upon review, perhaps facetious might suit better. Have you read this? The penultimate point of the summary is particularly apt:

    Write clearly. Say what you mean, and make sure it can’t be misinterpreted.

    When attackers can try https://example.com/author/<author_nick>, no, I don’t think it’s serious. (Incidentally, I plan to address that problem in 3.6). Basically, if a bug in my plugin doesn’t allow you to do anything beyond what you could do without it, then no, it’s not a “major” problem. It’s certainly a bug, but in this case it’s not a security flaw.

    As for the other report you mention, the WordPress “support” forum system sucks. I rely on email notifications, and for whatever reason I didn’t get any for the past week or so. (They normally work quite well, so for example I got the earlier version of your reply, complete with ad hominem and DKIM signature). Yes, I closed that report, but I’d have re-opened it had I seen it, just as I’ve done several times before.

    And here we come to the bit where it all goes weird: “veiled threats”?! I merely pointed out that if your first contact for something you yourself describe as a “major security flaw” is via a public forum, that’s not responsible disclosure. I stand by that.

    Thread Starter junkgrave

    (@junkgrave)

    Your points are all totally valid, and upon re-reading my original post, your response was warranted.

    I want to apologize for my immature tone and phrasing. I really appreciate you sharing and maintaining this excellent piece of free software. It’s a concise and elegant solution to a frustrating problem.

    I may have been channeling/misplacing annoyance from recent hacking attempts on my WP installs into my bug report, which I regret as your plugin has been of great help in this regard.

    Thank you again for it, and sorry for being an ass. If I could delete this thread, I would do so – if you have that power, please feel free. I’ve read the article you linked to and will be sure to create all future bug reports with more professionalism.

    new update works with my server. I will test it on the other 3 and I will update. thx a lot for your work.
    ciao

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Major security flaw.’ is closed to new replies.