[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Wordpress iThemes Security (Better WP Security) Insecure Backup/Logfile Generation (predicatabl
From: Sysdream Labs <labs () sysdream ! com>
Date: 2016-04-21 8:12:29
Message-ID: 57188B6D.7050401 () sysdream ! com
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
Wordpress iThemes Security (Better WP Security) Insecure Backup/Logfile Generation \
(predicatable filename) \
==========================================================================================================
Description
===========
When using the "database backup/logging on filesystem" feature, iThemes security \
generates a weak filename allowing attackers to obtain the backup/log file if they \
know when the backup/log file was generated (timestamp).
**Access Vector**: remote
**Security Risk**: medium
**Vulnerability**: CWE-330
**CVSS Base Score**: 7.5
---------------
Vulnerable code
---------------
The vulnerable code is located at core/modules/backup/class-itsec-backup.php, line \
244 :
$file = 'backup-' . substr( sanitize_title( get_bloginfo( 'name' ) ), 0, 20 ) \
. '-' . $current_time . '-' . ITSEC_Lib::get_random( mt_rand( 5, 10 ) );
In core/class-itsec-logger.php, line :
$itsec_globals['settings']['log_info'] = substr( sanitize_title( \
get_bloginfo( 'name' ) ), 0, 20 ) . '-' . ITSEC_Lib::get_random( mt_rand( 0, 10 ) );
In core/class-itsec-lib.php, function get_random, line 415:
public static function get_random( $length, $base32 = false, $special_chars = \
false ) {
if ( true === $base32 ) {
$string = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567';
} else {
$string = \
'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';
if ( true === $special_chars ) {
$string .= '_)(*&^%$#@!~`:;<>,.?/{}[]|';
}
}
return substr( str_shuffle( $string ), mt_rand( 0, strlen( $string ) \
- $length ), $length );
}
The str_shuffle should *never* be used for generating secure strings as it uses the \
PHP rand() function and just shuffles the characters' position.
--------
Solution
--------
Make sure to generate non-predictable strings, using cryptographically secure \
generators. Update iThemes Security to version >= 5.3.1
Affected versions
=================
* iThemes Security <= 5.3.0
Timeline (dd/mm/yyyy)
=====================
* 26/02/2016 : Initial contact with iThemes.
* 26/02/2016 : iThemes confirms the vulnerabilities.
* 29/02/2016 : iThemes publishes a new version (5.3.1) of iThemes Security that fixes \
the vulnerabilities.
Credits
=======
* Nicolas CHATELAIN, Sysdream (n.chatelain -at- sysdream -dot- com)
--
SYSDREAM Labs <labs@sysdream.com>
GPG :
47D1 E124 C43E F992 2A2E
1551 8EB4 8CD9 D5B2 59A1
* Website: https://sysdream.com/
* Twitter: @sysdream
["signature.asc" (application/pgp-signature)]
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic