Changeset 1389771

Timestamp:

04/07/2016 10:25:30 PM (10 years ago)

Author:

cbergen

Message:

tagging v1.4.0

Location:

gauntlet-security

Files:

• tags/1.4.0 (copied) (copied from gauntlet-security/trunk)
• tags/1.4.0/README.txt (modified) (4 diffs)
• tags/1.4.0/admin/assets/css/admin.css (modified) (1 diff)
• tags/1.4.0/admin/assets/js/admin.js (modified) (1 diff)
• tags/1.4.0/admin/includes/classes/gus_DirectoryIndexing.php (modified) (1 diff)
• tags/1.4.0/admin/includes/classes/gus_HidePhpVersion.php (added)
• tags/1.4.0/admin/includes/classes/gus_PhpVersion.php (added)
• tags/1.4.0/admin/includes/classes/gus_SslAdmin.php (modified) (2 diffs)
• tags/1.4.0/admin/includes/classes/gus_StrayFiles.php (modified) (3 diffs)
• tags/1.4.0/admin/includes/classes/gus_TestRunner.php (modified) (2 diffs)
• tags/1.4.0/gauntlet-security.php (modified) (1 diff)
• trunk/README.txt (modified) (4 diffs)
• trunk/admin/assets/css/admin.css (modified) (1 diff)
• trunk/admin/assets/js/admin.js (modified) (1 diff)
• trunk/admin/includes/classes/gus_DirectoryIndexing.php (modified) (1 diff)
• trunk/admin/includes/classes/gus_HidePhpVersion.php (added)
• trunk/admin/includes/classes/gus_PhpVersion.php (added)
• trunk/admin/includes/classes/gus_SslAdmin.php (modified) (2 diffs)
• trunk/admin/includes/classes/gus_StrayFiles.php (modified) (3 diffs)
• trunk/admin/includes/classes/gus_TestRunner.php (modified) (2 diffs)
• trunk/gauntlet-security.php (modified) (1 diff)

gauntlet-security/tags/1.4.0/README.txt

@@ -2 +2 @@
 Contributors: cbergen
 Donate link: https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=RGTZ39B4M83SA
-Tags: security, secure, vulnerability, exploit, hacks, audit, scanner, virus, multisite, network, gauntlet, checklist, protection
+Tags: security, secure, vulnerability, exploit, hacks, audit, scanner, virus, multisite, network, gauntlet, checklist, protection, security hardening
 Requires at least: 3.4
-Tested up to: 4.3.1
-Stable tag: 1.3.0
+Tested up to: 4.5
+Stable tag: 1.4.0
 License: GPLv3
 License URI: http://www.gnu.org/licenses/gpl-3.0.html
@@ -25 +25 @@
 * Prevent access to any stray files which could be useful to attackers
 * Rename or move the content directory
+* Keep PHP up-to-date
 * Disable dangerous PHP functions
 * Disable allow_url_include and allow_url_fopen PHP flags
+* Turn off the display of PHP errors
+* Don't advertise the PHP version you are running
 * Use a strong database password
 * Change the default database table prefix
 * Keep WordPress up-to-date
-* Turn off the display of PHP errors
 * Turn off file editing in the control panel
 * Set security keys in WP-Config file
@@ -53 +55 @@
 * Apache web server
 * WordPress 3.4 minimum
-* PHP 5.2 minimum
+* PHP 5.2.7 minimum
 
 = Disclaimer =
@@ -107 +109 @@
 == Changelog ==
 
+= 1.4.0 =
+* New test: Keep PHP up-to-date
+* New test: Don't advertise the PHP version you are running
+* Enhancement: Remove deprecated WordPress function, force_ssl_login
+* Enhancement: Improve colour-coding on plugin check
+* Enhancement: Add stray file check for "error_log" files
+* Tested on WordPress 4.5
+
 = 1.3.0 =
 * Enhancement: Add compatibility with WordPress Multisite installs

gauntlet-security/tags/1.4.0/admin/assets/css/admin.css

@@ -327 +327 @@
     color:#7F7F7F;
 }
-
+/*
+    Override critical colours on plugin check
+*/
+.gus_PluginAudit table .critical td .okay{
+    color:#444;
+}
 
 

gauntlet-security/tags/1.4.0/admin/assets/js/admin.js

@@ -24 +24 @@
                 ['gus_StrayFiles', 'slow'],
                 ['gus_WpContentLocation', 2],
+                ['gus_PhpVersion', 2],
                 ['gus_PhpFunctions', 2],
                 ['gus_PhpAllowUrl', 2],
+                ['gus_PhpDisplayErrors', 2],
+                ['gus_HidePhpVersion', 2],
                 ['gus_DbPassword', 2],
                 ['gus_WpTable', 2],
                 ['gus_WpVersion', 2],
-                ['gus_PhpDisplayErrors', 2],
                 ['gus_FileEditing', 2],
                 ['gus_KeysAndSalts', 2],

gauntlet-security/tags/1.4.0/admin/includes/classes/gus_DirectoryIndexing.php

@@ -62 +62 @@
         When directory indexing is left on, visitors can navigate to a directory on your site
         and (if there's no index file) view a listing of all the files inside. This information
-        can be useful to hackers who are targetting your site and want to understand the structure
+        can be useful to hackers who are targeting your site and want to understand the structure
         and contents of the server. 
         

gauntlet-security/tags/1.4.0/admin/includes/classes/gus_SslAdmin.php

@@ -3 +3 @@
 class gus_SslAdmin extends gus_TestBase
 {
-    private $force_ssl_login = false;
-
     protected function main_check()
     {
-        if( force_ssl_login() )
-        {
-            $this->force_ssl_login = true;
-        }
-
-        /*
-            Even if FORCE_SSL_LOGIN is true,
-            if FORCE_SSL_ADMIN is not set, there will be security issues.
-        
-            https://core.trac.wordpress.org/ticket/10267#comment:20
-        
-            TODO: This may not be true in WP v.4. The functionality of 
-            FORCE_SSL_LOGIN may become the same as FORCE_SSL_ADMIN.
-        */
-
         if( force_ssl_admin() )
         {
@@ -54 +37 @@
     protected function result_text()
     {
-        /*
-            FORCE_SSL_ADMIN is not set but FORCE_SSL_LOGIN is: Boo
-        */
-        if( $this->pass !== 'pass' && $this->force_ssl_login == true )
-        {
-            return <<<EOD
-
-            <p>This site enforces SSL for the login page but not for the general 
-                admin area. While the act of logging
-                in is encrypted, any of the logged-in users' cookies will still be 
-                accessible over regular HTTP.</p>
-
-            <div class='subtests'>
-                <table>
-                    <tbody>
-                        <tr>
-                            <td>FORCE_SSL_LOGIN</td>
-                            <td>true</td>
-                        </tr>
-                        <tr>
-                            <td>FORCE_SSL_ADMIN</td>
-                            <td><span class="error">false</span></td>
-                        </tr>
-                    </tbody>
-                </table>
-            </div>
-
-EOD;
-        }
-        
         /*
             Neither FORCE_SSL_ADMIN nor FORCE_SSL_LOGIN is set: Boo

gauntlet-security/tags/1.4.0/admin/includes/classes/gus_StrayFiles.php

@@ -390 +390 @@
         $description = 'Logs';
         
-        // Common git locations: WP root and Active theme root
-        $common_paths = array();
+        // Common locations: content directory, plugins directory, and active theme directory
+        $common_paths = array(
+            ABSPATH . 'error_log',
+            WP_CONTENT_DIR . '/error_log',
+            WP_CONTENT_DIR . '/plugins/error_log',
+            get_stylesheet_directory() . '/error_log',
+        );
 
         // Find existing files
@@ -412 +417 @@
                 'url_blocked' => $url_blocked
             ) );
+            if($description !== '')
+            {
+                $description = '';
+            }
         }
         
@@ -418 +427 @@
             $this->run_sub_test( array(
                 'description' => $description,
-                'path' => 'eg: debug.log',
+                'path' => 'eg: debug.log, error_log',
                 'path_exists' => false,
                 'url_blocked' => true

gauntlet-security/tags/1.4.0/admin/includes/classes/gus_TestRunner.php

@@ -19 +19 @@
                                 
         // PHP configuration    
+        $this->tests[] = array('gus_PhpVersion', 'PHP');
         $this->tests[] = array('gus_PhpFunctions', 'PHP');
         $this->tests[] = array('gus_PhpAllowUrl', 'PHP');
+        $this->tests[] = array('gus_PhpDisplayErrors', 'PHP');
+        $this->tests[] = array('gus_HidePhpVersion', 'PHP');
                                 
         // Database             
@@ -28 +31 @@
         // WordPress configuration
         $this->tests[] = array('gus_WpVersion', 'WordPress');
-        $this->tests[] = array('gus_PhpDisplayErrors', 'WordPress');
         $this->tests[] = array('gus_FileEditing', 'WordPress');
         $this->tests[] = array('gus_KeysAndSalts', 'WordPress');

gauntlet-security/tags/1.4.0/gauntlet-security.php

@@ -7 +7 @@
  * Author: Cornelius Bergen, Matchbox Creative
  * Author URI: http://matchboxcreative.com
- * Version: 1.3.0
+ * Version: 1.4.0
  * Text Domain: gauntlet
  */

gauntlet-security/trunk/README.txt

@@ -2 +2 @@
 Contributors: cbergen
 Donate link: https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=RGTZ39B4M83SA
-Tags: security, secure, vulnerability, exploit, hacks, audit, scanner, virus, multisite, network, gauntlet, checklist, protection
+Tags: security, secure, vulnerability, exploit, hacks, audit, scanner, virus, multisite, network, gauntlet, checklist, protection, security hardening
 Requires at least: 3.4
-Tested up to: 4.3.1
-Stable tag: 1.3.0
+Tested up to: 4.5
+Stable tag: 1.4.0
 License: GPLv3
 License URI: http://www.gnu.org/licenses/gpl-3.0.html
@@ -25 +25 @@
 * Prevent access to any stray files which could be useful to attackers
 * Rename or move the content directory
+* Keep PHP up-to-date
 * Disable dangerous PHP functions
 * Disable allow_url_include and allow_url_fopen PHP flags
+* Turn off the display of PHP errors
+* Don't advertise the PHP version you are running
 * Use a strong database password
 * Change the default database table prefix
 * Keep WordPress up-to-date
-* Turn off the display of PHP errors
 * Turn off file editing in the control panel
 * Set security keys in WP-Config file
@@ -53 +55 @@
 * Apache web server
 * WordPress 3.4 minimum
-* PHP 5.2 minimum
+* PHP 5.2.7 minimum
 
 = Disclaimer =
@@ -107 +109 @@
 == Changelog ==
 
+= 1.4.0 =
+* New test: Keep PHP up-to-date
+* New test: Don't advertise the PHP version you are running
+* Enhancement: Remove deprecated WordPress function, force_ssl_login
+* Enhancement: Improve colour-coding on plugin check
+* Enhancement: Add stray file check for "error_log" files
+* Tested on WordPress 4.5
+
 = 1.3.0 =
 * Enhancement: Add compatibility with WordPress Multisite installs

gauntlet-security/trunk/admin/assets/css/admin.css

@@ -327 +327 @@
     color:#7F7F7F;
 }
-
+/*
+    Override critical colours on plugin check
+*/
+.gus_PluginAudit table .critical td .okay{
+    color:#444;
+}
 
 

gauntlet-security/trunk/admin/assets/js/admin.js

@@ -24 +24 @@
                 ['gus_StrayFiles', 'slow'],
                 ['gus_WpContentLocation', 2],
+                ['gus_PhpVersion', 2],
                 ['gus_PhpFunctions', 2],
                 ['gus_PhpAllowUrl', 2],
+                ['gus_PhpDisplayErrors', 2],
+                ['gus_HidePhpVersion', 2],
                 ['gus_DbPassword', 2],
                 ['gus_WpTable', 2],
                 ['gus_WpVersion', 2],
-                ['gus_PhpDisplayErrors', 2],
                 ['gus_FileEditing', 2],
                 ['gus_KeysAndSalts', 2],

gauntlet-security/trunk/admin/includes/classes/gus_DirectoryIndexing.php

@@ -62 +62 @@
         When directory indexing is left on, visitors can navigate to a directory on your site
         and (if there's no index file) view a listing of all the files inside. This information
-        can be useful to hackers who are targetting your site and want to understand the structure
+        can be useful to hackers who are targeting your site and want to understand the structure
         and contents of the server. 
         

gauntlet-security/trunk/admin/includes/classes/gus_SslAdmin.php

@@ -3 +3 @@
 class gus_SslAdmin extends gus_TestBase
 {
-    private $force_ssl_login = false;
-
     protected function main_check()
     {
-        if( force_ssl_login() )
-        {
-            $this->force_ssl_login = true;
-        }
-
-        /*
-            Even if FORCE_SSL_LOGIN is true,
-            if FORCE_SSL_ADMIN is not set, there will be security issues.
-        
-            https://core.trac.wordpress.org/ticket/10267#comment:20
-        
-            TODO: This may not be true in WP v.4. The functionality of 
-            FORCE_SSL_LOGIN may become the same as FORCE_SSL_ADMIN.
-        */
-
         if( force_ssl_admin() )
         {
@@ -54 +37 @@
     protected function result_text()
     {
-        /*
-            FORCE_SSL_ADMIN is not set but FORCE_SSL_LOGIN is: Boo
-        */
-        if( $this->pass !== 'pass' && $this->force_ssl_login == true )
-        {
-            return <<<EOD
-
-            <p>This site enforces SSL for the login page but not for the general 
-                admin area. While the act of logging
-                in is encrypted, any of the logged-in users' cookies will still be 
-                accessible over regular HTTP.</p>
-
-            <div class='subtests'>
-                <table>
-                    <tbody>
-                        <tr>
-                            <td>FORCE_SSL_LOGIN</td>
-                            <td>true</td>
-                        </tr>
-                        <tr>
-                            <td>FORCE_SSL_ADMIN</td>
-                            <td><span class="error">false</span></td>
-                        </tr>
-                    </tbody>
-                </table>
-            </div>
-
-EOD;
-        }
-        
         /*
             Neither FORCE_SSL_ADMIN nor FORCE_SSL_LOGIN is set: Boo

gauntlet-security/trunk/admin/includes/classes/gus_StrayFiles.php

@@ -390 +390 @@
         $description = 'Logs';
         
-        // Common git locations: WP root and Active theme root
-        $common_paths = array();
+        // Common locations: content directory, plugins directory, and active theme directory
+        $common_paths = array(
+            ABSPATH . 'error_log',
+            WP_CONTENT_DIR . '/error_log',
+            WP_CONTENT_DIR . '/plugins/error_log',
+            get_stylesheet_directory() . '/error_log',
+        );
 
         // Find existing files
@@ -412 +417 @@
                 'url_blocked' => $url_blocked
             ) );
+            if($description !== '')
+            {
+                $description = '';
+            }
         }
         
@@ -418 +427 @@
             $this->run_sub_test( array(
                 'description' => $description,
-                'path' => 'eg: debug.log',
+                'path' => 'eg: debug.log, error_log',
                 'path_exists' => false,
                 'url_blocked' => true

gauntlet-security/trunk/admin/includes/classes/gus_TestRunner.php

@@ -19 +19 @@
                                 
         // PHP configuration    
+        $this->tests[] = array('gus_PhpVersion', 'PHP');
         $this->tests[] = array('gus_PhpFunctions', 'PHP');
         $this->tests[] = array('gus_PhpAllowUrl', 'PHP');
+        $this->tests[] = array('gus_PhpDisplayErrors', 'PHP');
+        $this->tests[] = array('gus_HidePhpVersion', 'PHP');
                                 
         // Database             
@@ -28 +31 @@
         // WordPress configuration
         $this->tests[] = array('gus_WpVersion', 'WordPress');
-        $this->tests[] = array('gus_PhpDisplayErrors', 'WordPress');
         $this->tests[] = array('gus_FileEditing', 'WordPress');
         $this->tests[] = array('gus_KeysAndSalts', 'WordPress');

gauntlet-security/trunk/gauntlet-security.php

@@ -7 +7 @@
  * Author: Cornelius Bergen, Matchbox Creative
  * Author URI: http://matchboxcreative.com
- * Version: 1.3.0
+ * Version: 1.4.0
  * Text Domain: gauntlet
  */