Changeset 1040048

Timestamp:

12/07/2014 10:47:41 PM (11 years ago)

Author:

cbergen

Message:

tagging v1.2.0

Location:

gauntlet-security

Files:

• assets/screenshot-1.png (modified) (previous)
• assets/screenshot-2.png (modified) (previous)
• assets/screenshot-3.png (modified) (previous)
• assets/screenshot-4.png (modified) (previous)
• tags/1.2.0 (copied) (copied from gauntlet-security/trunk)
• tags/1.2.0/README.txt (modified) (4 diffs)
• tags/1.2.0/admin/assets/css/admin.css (modified) (1 diff)
• tags/1.2.0/admin/assets/js/admin.js (modified) (1 diff)
• tags/1.2.0/admin/includes/classes/gus_AdminUsername.php (modified) (2 diffs)
• tags/1.2.0/admin/includes/classes/gus_BmuhtMit.php (modified) (2 diffs)
• tags/1.2.0/admin/includes/classes/gus_ExecutableUploads.php (modified) (1 diff)
• tags/1.2.0/admin/includes/classes/gus_NickNames.php (modified) (1 diff)
• tags/1.2.0/admin/includes/classes/gus_PhpAllowUrl.php (modified) (1 diff)
• tags/1.2.0/admin/includes/classes/gus_PhpFunctions.php (modified) (1 diff)
• tags/1.2.0/admin/includes/classes/gus_StrayFiles.php (added)
• tags/1.2.0/admin/includes/classes/gus_TestBase.php (modified) (1 diff)
• tags/1.2.0/admin/includes/classes/gus_TestRunner.php (modified) (1 diff)
• tags/1.2.0/admin/includes/classes/gus_UserNames.php (modified) (2 diffs)
• tags/1.2.0/gauntlet-security.php (modified) (1 diff)
• trunk/README.txt (modified) (4 diffs)
• trunk/admin/assets/css/admin.css (modified) (1 diff)
• trunk/admin/assets/js/admin.js (modified) (1 diff)
• trunk/admin/includes/classes/gus_AdminUsername.php (modified) (2 diffs)
• trunk/admin/includes/classes/gus_BmuhtMit.php (modified) (2 diffs)
• trunk/admin/includes/classes/gus_ExecutableUploads.php (modified) (1 diff)
• trunk/admin/includes/classes/gus_NickNames.php (modified) (1 diff)
• trunk/admin/includes/classes/gus_PhpAllowUrl.php (modified) (1 diff)
• trunk/admin/includes/classes/gus_PhpFunctions.php (modified) (1 diff)
• trunk/admin/includes/classes/gus_StrayFiles.php (added)
• trunk/admin/includes/classes/gus_TestBase.php (modified) (1 diff)
• trunk/admin/includes/classes/gus_TestRunner.php (modified) (1 diff)
• trunk/admin/includes/classes/gus_UserNames.php (modified) (2 diffs)
• trunk/gauntlet-security.php (modified) (1 diff)

gauntlet-security/tags/1.2.0/README.txt

@@ -4 +4 @@
 Tags: security, secure, vulnerability, exploit, hacks, audit, scanner, virus, gauntlet, checklist, protection
 Requires at least: 3.4
-Tested up to: 4.0
-Stable tag: 1.1.2
+Tested up to: 4.0.1
+Stable tag: 1.2.0
 License: GPLv3
 License URI: http://www.gnu.org/licenses/gpl-3.0.html
@@ -23 +23 @@
 * Prevent code execution in the uploads directory
 * Block files in the includes directory
+* Prevent access to any stray files which could be useful to attackers
 * Rename or move the content directory
-* Make sure your server is not vulnerable to the Shellshock Bash bug
 * Disable dangerous PHP functions
 * Disable allow_url_include and allow_url_fopen PHP flags
@@ -32 +32 @@
 * Turn off the display of PHP errors
 * Turn off file editing in the control panel
-* Set security keys in the WP-Config file
+* Set security keys in WP-Config file
 * Don't advertise the WordPress version you are running
 * Turn off self-registration
@@ -96 +96 @@
 2. All checks include a detailed explanation and instructions on how to fix the issue. 
 3. Not all issues need to be fixed. Less important tests are included for the paranoid. 
+4. The plugin check will raise red flags if plugins aren't being maintained or haven't been updated 
 
 == Changelog ==
+
+= 1.2.0 =
+* New test: Prevent access to stray non-Wordpress files which could be useful to attackers
+* Remove test: Shellshock test (not an ongoing concern)
+* Enhancement: User enumeration test checks users with posts
+* Enhancement: Increase reliabilty if site is using a self-signed TLS certificate
+* Enhancement: Added common usernames (thanks to Viktor Szépe & Simon Fredsted)
+* Enhancement: Allowance for overriding requirements check
 
 = 1.1.2 =

gauntlet-security/tags/1.2.0/admin/assets/css/admin.css

@@ -318 +318 @@
     color:#DB2C64;
 }
-.critical h2, table .critical td{
-    color:red;
+.critical h2, 
+table .critical td *,
+table .critical td{
+    color:red !important;
     font-weight:bold;
 }

gauntlet-security/tags/1.2.0/admin/assets/js/admin.js

@@ -18 +18 @@
             */
             var tests = [
-                ['gus_FilePermissions', 'slow'],
-                ['gus_DirectoryIndexing', 2],
-                ['gus_ExecutableUploads', 2],
-                ['gus_SecureIncludes', 2],
-                ['gus_Shellshock', 'slow'],
-                ['gus_WpContentLocation', 2],
-                ['gus_PhpFunctions', 2],
-                ['gus_PhpAllowUrl', 2],
-                ['gus_DbPassword', 2],
-                ['gus_WpTable', 2],
-                ['gus_WpVersion', 2],
-                ['gus_PhpDisplayErrors', 2],
-                ['gus_FileEditing', 2],
-                ['gus_KeysAndSalts', 2],
-                ['gus_WpGenerator', 2],
-                ['gus_AnyoneCanRegister', 2],
-                ['gus_SslAdmin', 2],
-                ['gus_PluginAudit', 'slow'],
-                ['gus_UnusedThemes', 2],
-                ['gus_BmuhtMit', 'slow'],
-                ['gus_AdminUsername', 2],
-                ['gus_CommonPasswords', 'slow'],
-                ['gus_UserIdOne', 'slow'],
-                ['gus_AdminCount', 'slow'],
-                ['gus_NickNames', 'slow'],
-                ['gus_UserNames', 'slow']
+                ['gus_FilePermissions', 'slow'],
+                ['gus_DirectoryIndexing', 2],
+                ['gus_ExecutableUploads', 2],
+                ['gus_SecureIncludes', 2],
+                ['gus_StrayFiles', 'slow'],
+                ['gus_WpContentLocation', 2],
+                ['gus_PhpFunctions', 2],
+                ['gus_PhpAllowUrl', 2],
+                ['gus_DbPassword', 2],
+                ['gus_WpTable', 2],
+                ['gus_WpVersion', 2],
+                ['gus_PhpDisplayErrors', 2],
+                ['gus_FileEditing', 2],
+                ['gus_KeysAndSalts', 2],
+                ['gus_WpGenerator', 2],
+                ['gus_AnyoneCanRegister', 2],
+                ['gus_SslAdmin', 2],
+                ['gus_PluginAudit', 'slow'],
+                ['gus_UnusedThemes', 2],
+                ['gus_BmuhtMit', 'slow'],
+                ['gus_AdminUsername', 2],
+                ['gus_CommonPasswords', 'slow'],
+                ['gus_UserIdOne', 'slow'],
+                ['gus_AdminCount', 'slow'],
+                ['gus_NickNames', 'slow'],
+                ['gus_UserNames', 'slow'],
             ];
             var finished_tests = 0;

gauntlet-security/tags/1.2.0/admin/includes/classes/gus_AdminUsername.php

@@ -8 +8 @@
 
     private $bad_names = array(
+        'adm',
         'admin',
+        'admin1',
         'administrator',
+        'backup',
+        'demo',
+        'editor',
+        'login',
+        'moderator',
+        'office',
+        'support',
         'test',
-        'support',
-        'adm',
+        'tester',
+        'user',
+        'user2',
+        'username',
     );
     private $bad_domain = '';
@@ -146 +157 @@
         return 'Intermediate';
     }
+
+    protected function references()
+    {
+        return <<<EOD
+            
+        <a href='http://simonfredsted.com/1260'>Simon Fredsted: 300,000 login attempts and 5 observations</a><br>
+        <a href='https://github.com/szepeviktor/wordpress-plugin-construction/blob/master/wordpress-fail2ban/block-bad-requests/wp-login-bad-request.inc.php'>Viktor Szépe: Block Bad Requests plugin</a><br>
+
+EOD;
+    }
+
 }

gauntlet-security/tags/1.2.0/admin/includes/classes/gus_BmuhtMit.php

@@ -191 +191 @@
         
         <p>The latest version is available here: 
-        <a href='{$this->latest_url}' target='_blank'>{$this->latest_url}</a></p>
+        <a href='{$this->latest_url}' target='_blank'>{$this->latest_url}</a>
+        but keep in mind that as of September 2014, it's no longer being maintained.
+        </p>
         
 EOD;
@@ -200 +202 @@
         return 'Advanced';
     }   
+
+    protected function references()
+    {
+        return <<<EOD
+            
+        <a href='http://www.binarymoon.co.uk/2014/09/timthumb-end-life/'>Binary Moon: TimThumb is No Longer Supported or Maintained</a><br>
+
+EOD;
+    }
 }

gauntlet-security/tags/1.2.0/admin/includes/classes/gus_ExecutableUploads.php

@@ -25 +25 @@
         */
         $full_url = $upload_dir['baseurl'] . '/' . $test_string . '.php';
-        $response = wp_remote_request( $full_url );
+        $args = (is_ssl()) ? array('sslverify' => false) : array() ; 
+        $response = wp_remote_request( $full_url, $args );
 
         if( is_array($response) && isset($response['response']['code']) )

gauntlet-security/tags/1.2.0/admin/includes/classes/gus_NickNames.php

@@ -93 +93 @@
         return <<<EOD
             
-        Change a user's display name by by editing their "Display name publicly as" setting.
+        Change a user's display name by editing their "Display name publicly as" setting.
 
 EOD;

gauntlet-security/tags/1.2.0/admin/includes/classes/gus_PhpAllowUrl.php

@@ -129 +129 @@
         $code = <<<EOD
 
-allow_url_include = 'off'
-allow_url_fopen = 'off'
+allow_url_include = off
+allow_url_fopen = off
 
 EOD;

gauntlet-security/tags/1.2.0/admin/includes/classes/gus_PhpFunctions.php

@@ -9 +9 @@
     private $dangerous = array(
         'exec', 
-        'passthru', 
         'shell_exec', 
         'system', 
+        'passthru', 
+        'pcntl_exec',
         'proc_open', 
-        'pcntl_exec',
     );
 

gauntlet-security/tags/1.2.0/admin/includes/classes/gus_TestBase.php

@@ -366 +366 @@
     }
     
+    protected function url_from_path($path)
+    {
+        return site_url() . '/' . str_replace(ABSPATH, '', $path);
+    }
     
     protected function start_timer()

gauntlet-security/tags/1.2.0/admin/includes/classes/gus_TestRunner.php

@@ -15 +15 @@
         $this->tests[] = array('gus_ExecutableUploads', 'Files');
         $this->tests[] = array('gus_SecureIncludes', 'Files');
-        $this->tests[] = array('gus_Shellshock', 'Files');
+        $this->tests[] = array('gus_StrayFiles', 'Files');
         $this->tests[] = array('gus_WpContentLocation', 'Files');
                                 

gauntlet-security/tags/1.2.0/admin/includes/classes/gus_UserNames.php

@@ -9 +9 @@
     {
         $users = get_users();
-        $first_user_id = $users[0]->ID;
+        foreach($users as $u)
+        {
+            if(count_user_posts($u->ID) > 0)
+            {
+                $test_user_id = $u->ID;            
+            }
+        }
+        
+        if( ! isset($test_user_id) )
+        {
+            $current_user = wp_get_current_user();
+            $test_user_id = $current_user->ID;
+        }
             
         /*
             Can usernames be easily enumerated? (like with WPScan)
         */
-        $url = site_url() . '/?author=' . $first_user_id;
-        $args = array();
+        $url = site_url() . '/?author=' . $test_user_id;
+        $args = (is_ssl()) ? array('sslverify' => false) : array() ; 
         $response = wp_remote_head( $url, $args );
+
         if( 
             ! is_object($response) && 
@@ -33 +46 @@
             if($response['response']['code'] == 301)
             {
-                $this->example_redirected_url = get_author_posts_url( $first_user_id );
+                $this->example_redirected_url = get_author_posts_url( $test_user_id );
             }
         }

gauntlet-security/tags/1.2.0/gauntlet-security.php

@@ -189 +189 @@
                 $pass_reqs = false;
             }
+            
+            // Force the plugin to be enabled. GUS_FORCE_ENABLE can be set in wp-config.php
+            if ( defined( 'GUS_FORCE_ENABLE' ) && GUS_FORCE_ENABLE )
+            {
+                $pass_reqs = true;
+            }
 
             return array(

gauntlet-security/trunk/README.txt

@@ -4 +4 @@
 Tags: security, secure, vulnerability, exploit, hacks, audit, scanner, virus, gauntlet, checklist, protection
 Requires at least: 3.4
-Tested up to: 4.0
-Stable tag: 1.1.2
+Tested up to: 4.0.1
+Stable tag: 1.2.0
 License: GPLv3
 License URI: http://www.gnu.org/licenses/gpl-3.0.html
@@ -23 +23 @@
 * Prevent code execution in the uploads directory
 * Block files in the includes directory
+* Prevent access to any stray files which could be useful to attackers
 * Rename or move the content directory
-* Make sure your server is not vulnerable to the Shellshock Bash bug
 * Disable dangerous PHP functions
 * Disable allow_url_include and allow_url_fopen PHP flags
@@ -32 +32 @@
 * Turn off the display of PHP errors
 * Turn off file editing in the control panel
-* Set security keys in the WP-Config file
+* Set security keys in WP-Config file
 * Don't advertise the WordPress version you are running
 * Turn off self-registration
@@ -96 +96 @@
 2. All checks include a detailed explanation and instructions on how to fix the issue. 
 3. Not all issues need to be fixed. Less important tests are included for the paranoid. 
+4. The plugin check will raise red flags if plugins aren't being maintained or haven't been updated 
 
 == Changelog ==
+
+= 1.2.0 =
+* New test: Prevent access to stray non-Wordpress files which could be useful to attackers
+* Remove test: Shellshock test (not an ongoing concern)
+* Enhancement: User enumeration test checks users with posts
+* Enhancement: Increase reliabilty if site is using a self-signed TLS certificate
+* Enhancement: Added common usernames (thanks to Viktor Szépe & Simon Fredsted)
+* Enhancement: Allowance for overriding requirements check
 
 = 1.1.2 =

gauntlet-security/trunk/admin/assets/css/admin.css

@@ -318 +318 @@
     color:#DB2C64;
 }
-.critical h2, table .critical td{
-    color:red;
+.critical h2, 
+table .critical td *,
+table .critical td{
+    color:red !important;
     font-weight:bold;
 }

gauntlet-security/trunk/admin/assets/js/admin.js

@@ -18 +18 @@
             */
             var tests = [
-                ['gus_FilePermissions', 'slow'],
-                ['gus_DirectoryIndexing', 2],
-                ['gus_ExecutableUploads', 2],
-                ['gus_SecureIncludes', 2],
-                ['gus_Shellshock', 'slow'],
-                ['gus_WpContentLocation', 2],
-                ['gus_PhpFunctions', 2],
-                ['gus_PhpAllowUrl', 2],
-                ['gus_DbPassword', 2],
-                ['gus_WpTable', 2],
-                ['gus_WpVersion', 2],
-                ['gus_PhpDisplayErrors', 2],
-                ['gus_FileEditing', 2],
-                ['gus_KeysAndSalts', 2],
-                ['gus_WpGenerator', 2],
-                ['gus_AnyoneCanRegister', 2],
-                ['gus_SslAdmin', 2],
-                ['gus_PluginAudit', 'slow'],
-                ['gus_UnusedThemes', 2],
-                ['gus_BmuhtMit', 'slow'],
-                ['gus_AdminUsername', 2],
-                ['gus_CommonPasswords', 'slow'],
-                ['gus_UserIdOne', 'slow'],
-                ['gus_AdminCount', 'slow'],
-                ['gus_NickNames', 'slow'],
-                ['gus_UserNames', 'slow']
+                ['gus_FilePermissions', 'slow'],
+                ['gus_DirectoryIndexing', 2],
+                ['gus_ExecutableUploads', 2],
+                ['gus_SecureIncludes', 2],
+                ['gus_StrayFiles', 'slow'],
+                ['gus_WpContentLocation', 2],
+                ['gus_PhpFunctions', 2],
+                ['gus_PhpAllowUrl', 2],
+                ['gus_DbPassword', 2],
+                ['gus_WpTable', 2],
+                ['gus_WpVersion', 2],
+                ['gus_PhpDisplayErrors', 2],
+                ['gus_FileEditing', 2],
+                ['gus_KeysAndSalts', 2],
+                ['gus_WpGenerator', 2],
+                ['gus_AnyoneCanRegister', 2],
+                ['gus_SslAdmin', 2],
+                ['gus_PluginAudit', 'slow'],
+                ['gus_UnusedThemes', 2],
+                ['gus_BmuhtMit', 'slow'],
+                ['gus_AdminUsername', 2],
+                ['gus_CommonPasswords', 'slow'],
+                ['gus_UserIdOne', 'slow'],
+                ['gus_AdminCount', 'slow'],
+                ['gus_NickNames', 'slow'],
+                ['gus_UserNames', 'slow'],
             ];
             var finished_tests = 0;

gauntlet-security/trunk/admin/includes/classes/gus_AdminUsername.php

@@ -8 +8 @@
 
     private $bad_names = array(
+        'adm',
         'admin',
+        'admin1',
         'administrator',
+        'backup',
+        'demo',
+        'editor',
+        'login',
+        'moderator',
+        'office',
+        'support',
         'test',
-        'support',
-        'adm',
+        'tester',
+        'user',
+        'user2',
+        'username',
     );
     private $bad_domain = '';
@@ -146 +157 @@
         return 'Intermediate';
     }
+
+    protected function references()
+    {
+        return <<<EOD
+            
+        <a href='http://simonfredsted.com/1260'>Simon Fredsted: 300,000 login attempts and 5 observations</a><br>
+        <a href='https://github.com/szepeviktor/wordpress-plugin-construction/blob/master/wordpress-fail2ban/block-bad-requests/wp-login-bad-request.inc.php'>Viktor Szépe: Block Bad Requests plugin</a><br>
+
+EOD;
+    }
+
 }

gauntlet-security/trunk/admin/includes/classes/gus_BmuhtMit.php

@@ -191 +191 @@
         
         <p>The latest version is available here: 
-        <a href='{$this->latest_url}' target='_blank'>{$this->latest_url}</a></p>
+        <a href='{$this->latest_url}' target='_blank'>{$this->latest_url}</a>
+        but keep in mind that as of September 2014, it's no longer being maintained.
+        </p>
         
 EOD;
@@ -200 +202 @@
         return 'Advanced';
     }   
+
+    protected function references()
+    {
+        return <<<EOD
+            
+        <a href='http://www.binarymoon.co.uk/2014/09/timthumb-end-life/'>Binary Moon: TimThumb is No Longer Supported or Maintained</a><br>
+
+EOD;
+    }
 }

gauntlet-security/trunk/admin/includes/classes/gus_ExecutableUploads.php

@@ -25 +25 @@
         */
         $full_url = $upload_dir['baseurl'] . '/' . $test_string . '.php';
-        $response = wp_remote_request( $full_url );
+        $args = (is_ssl()) ? array('sslverify' => false) : array() ; 
+        $response = wp_remote_request( $full_url, $args );
 
         if( is_array($response) && isset($response['response']['code']) )

gauntlet-security/trunk/admin/includes/classes/gus_NickNames.php

@@ -93 +93 @@
         return <<<EOD
             
-        Change a user's display name by by editing their "Display name publicly as" setting.
+        Change a user's display name by editing their "Display name publicly as" setting.
 
 EOD;

gauntlet-security/trunk/admin/includes/classes/gus_PhpAllowUrl.php

@@ -129 +129 @@
         $code = <<<EOD
 
-allow_url_include = 'off'
-allow_url_fopen = 'off'
+allow_url_include = off
+allow_url_fopen = off
 
 EOD;

gauntlet-security/trunk/admin/includes/classes/gus_PhpFunctions.php

@@ -9 +9 @@
     private $dangerous = array(
         'exec', 
-        'passthru', 
         'shell_exec', 
         'system', 
+        'passthru', 
+        'pcntl_exec',
         'proc_open', 
-        'pcntl_exec',
     );
 

gauntlet-security/trunk/admin/includes/classes/gus_TestBase.php

@@ -366 +366 @@
     }
     
+    protected function url_from_path($path)
+    {
+        return site_url() . '/' . str_replace(ABSPATH, '', $path);
+    }
     
     protected function start_timer()

gauntlet-security/trunk/admin/includes/classes/gus_TestRunner.php

@@ -15 +15 @@
         $this->tests[] = array('gus_ExecutableUploads', 'Files');
         $this->tests[] = array('gus_SecureIncludes', 'Files');
-        $this->tests[] = array('gus_Shellshock', 'Files');
+        $this->tests[] = array('gus_StrayFiles', 'Files');
         $this->tests[] = array('gus_WpContentLocation', 'Files');
                                 

gauntlet-security/trunk/admin/includes/classes/gus_UserNames.php

@@ -9 +9 @@
     {
         $users = get_users();
-        $first_user_id = $users[0]->ID;
+        foreach($users as $u)
+        {
+            if(count_user_posts($u->ID) > 0)
+            {
+                $test_user_id = $u->ID;            
+            }
+        }
+        
+        if( ! isset($test_user_id) )
+        {
+            $current_user = wp_get_current_user();
+            $test_user_id = $current_user->ID;
+        }
             
         /*
             Can usernames be easily enumerated? (like with WPScan)
         */
-        $url = site_url() . '/?author=' . $first_user_id;
-        $args = array();
+        $url = site_url() . '/?author=' . $test_user_id;
+        $args = (is_ssl()) ? array('sslverify' => false) : array() ; 
         $response = wp_remote_head( $url, $args );
+
         if( 
             ! is_object($response) && 
@@ -33 +46 @@
             if($response['response']['code'] == 301)
             {
-                $this->example_redirected_url = get_author_posts_url( $first_user_id );
+                $this->example_redirected_url = get_author_posts_url( $test_user_id );
             }
         }

gauntlet-security/trunk/gauntlet-security.php

@@ -189 +189 @@
                 $pass_reqs = false;
             }
+            
+            // Force the plugin to be enabled. GUS_FORCE_ENABLE can be set in wp-config.php
+            if ( defined( 'GUS_FORCE_ENABLE' ) && GUS_FORCE_ENABLE )
+            {
+                $pass_reqs = true;
+            }
 
             return array(