Wordpress iThemes Security (Better WP Security) Insecure Backup/Logfile Generation (predicatable filename) ==========================================================================================================
Description =========== When using the "database backup/logging on filesystem" feature, iThemes security generates a weak filename allowing attackers to obtain the backup/log file if they know when the backup/log file was generated (timestamp). **Access Vector**: remote **Security Risk**: medium **Vulnerability**: CWE-330 **CVSS Base Score**: 7.5 --------------- Vulnerable code --------------- The vulnerable code is located at core/modules/backup/class-itsec-backup.php, line 244 : $file = 'backup-' . substr( sanitize_title( get_bloginfo( 'name' ) ), 0, 20 ) . '-' . $current_time . '-' . ITSEC_Lib::get_random( mt_rand( 5, 10 ) ); In core/class-itsec-logger.php, line : $itsec_globals['settings']['log_info'] = substr( sanitize_title( get_bloginfo( 'name' ) ), 0, 20 ) . '-' . ITSEC_Lib::get_random( mt_rand( 0, 10 ) ); In core/class-itsec-lib.php, function get_random, line 415: public static function get_random( $length, $base32 = false, $special_chars = false ) { if ( true === $base32 ) { $string = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567'; } else { $string = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'; if ( true === $special_chars ) { $string .= '_)(*&^%$#@!~`:;<>,.?/{}[]|'; } } return substr( str_shuffle( $string ), mt_rand( 0, strlen( $string ) - $length ), $length ); } The str_shuffle should *never* be used for generating secure strings as it uses the PHP rand() function and just shuffles the characters' position. -------- Solution -------- Make sure to generate non-predictable strings, using cryptographically secure generators. Update iThemes Security to version >= 5.3.1 Affected versions ================= * iThemes Security <= 5.3.0 Timeline (dd/mm/yyyy) ===================== * 26/02/2016 : Initial contact with iThemes. * 26/02/2016 : iThemes confirms the vulnerabilities. * 29/02/2016 : iThemes publishes a new version (5.3.1) of iThemes Security that fixes the vulnerabilities. Credits ======= * Nicolas CHATELAIN, Sysdream (n.chatelain -at- sysdream -dot- com) -- SYSDREAM Labs <l...@sysdream.com> GPG : 47D1 E124 C43E F992 2A2E 1551 8EB4 8CD9 D5B2 59A1 * Website: https://sysdream.com/ * Twitter: @sysdream
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/