Changeset 1460479

Timestamp:

07/25/2016 10:53:20 PM (10 years ago)

Author:

fdoromo

Message:

tags/3.4.1 (fix vulnerability)

Location:

total-security

Files:

• tags/3.4.1 (added)
• tags/3.4.1/css (added)
• tags/3.4.1/css/admin.css (added)
• tags/3.4.1/css/bookmarklet.css (added)
• tags/3.4.1/css/snippet.min.css (added)
• tags/3.4.1/images (added)
• tags/3.4.1/images/_16x16-3.png (added)
• tags/3.4.1/images/_16x16.png (added)
• tags/3.4.1/images/ajax-loader.gif (added)
• tags/3.4.1/images/bg.png (added)
• tags/3.4.1/images/error2.png (added)
• tags/3.4.1/images/ext (added)
• tags/3.4.1/images/ext/_no.png (added)
• tags/3.4.1/images/ext/css.png (added)
• tags/3.4.1/images/ext/data.png (added)
• tags/3.4.1/images/ext/exe.png (added)
• tags/3.4.1/images/ext/f1.png (added)
• tags/3.4.1/images/ext/f2.png (added)
• tags/3.4.1/images/ext/flash.png (added)
• tags/3.4.1/images/ext/html.png (added)
• tags/3.4.1/images/ext/java.png (added)
• tags/3.4.1/images/ext/jpg.png (added)
• tags/3.4.1/images/ext/js.png (added)
• tags/3.4.1/images/ext/pdf.png (added)
• tags/3.4.1/images/ext/php.png (added)
• tags/3.4.1/images/ext/txt.png (added)
• tags/3.4.1/images/ext/zip.png (added)
• tags/3.4.1/images/h3_icons (added)
• tags/3.4.1/images/h3_icons/bug.png (added)
• tags/3.4.1/images/h3_icons/code.png (added)
• tags/3.4.1/images/h3_icons/locate.png (added)
• tags/3.4.1/images/h3_icons/star.png (added)
• tags/3.4.1/images/info.png (added)
• tags/3.4.1/images/info0.png (added)
• tags/3.4.1/images/info2.png (added)
• tags/3.4.1/images/loading.gif (added)
• tags/3.4.1/images/paypal.png (added)
• tags/3.4.1/images/success.png (added)
• tags/3.4.1/images/warning.png (added)
• tags/3.4.1/js (added)
• tags/3.4.1/js/admin.js (added)
• tags/3.4.1/js/jquery.blockUI.js (added)
• tags/3.4.1/js/snippet.min.js (added)
• tags/3.4.1/lang (added)
• tags/3.4.1/lang/Help translating it.url (added)
• tags/3.4.1/lang/total-security-ru_RU.mo (added)
• tags/3.4.1/libs (added)
• tags/3.4.1/libs/bookmarklet (added)
• tags/3.4.1/libs/bookmarklet/_footer.php (added)
• tags/3.4.1/libs/bookmarklet/_head.php (added)
• tags/3.4.1/libs/bookmarklet/password_hash.php (added)
• tags/3.4.1/libs/brute-force-dictionary.txt (added)
• tags/3.4.1/libs/hashes-4.5.3.php (added)
• tags/3.4.1/modules (added)
• tags/3.4.1/modules/class-p2.php (added)
• tags/3.4.1/modules/class-p3.php (added)
• tags/3.4.1/modules/class-p4.php (added)
• tags/3.4.1/modules/class-p5.php (added)
• tags/3.4.1/modules/class-p7.php (added)
• tags/3.4.1/modules/class-process.php (added)
• tags/3.4.1/modules/inc-p1.php (added)
• tags/3.4.1/modules/inc-p2.php (added)
• tags/3.4.1/modules/inc-p3.php (added)
• tags/3.4.1/modules/inc-p4.php (added)
• tags/3.4.1/modules/inc-p5.php (added)
• tags/3.4.1/modules/inc-p6.php (added)
• tags/3.4.1/modules/inc-p7.php (added)
• tags/3.4.1/modules/inc-popup.php (added)
• tags/3.4.1/modules/inc-sidebar.php (added)
• tags/3.4.1/readme.txt (added)
• tags/3.4.1/total-security.php (added)
• tags/3.4.1/uninstall.php (added)
• trunk/libs/hashes-4.5.2.php (deleted)
• trunk/libs/hashes-4.5.3.php (added)
• trunk/modules/class-p4.php (modified) (1 diff)
• trunk/modules/class-process.php (modified) (3 diffs)
• trunk/modules/inc-p6.php (modified) (2 diffs)
• trunk/readme.txt (modified) (2 diffs)
• trunk/total-security.php (modified) (2 diffs)

total-security/trunk/modules/class-p4.php

@@ -253 +253 @@
             foreach ( $data as $item => $attr ) {
 
-                $rows[$count]['timestamp'] = $attr['timestamp'];
-                $rows[$count]['id'] = $attr['id'];
-                $rows[$count]['host'] = $attr['host'];
-                $rows[$count]['uri'] = $attr['url'];
-                $rows[$count]['referrer'] = $attr['referrer'];
+                $rows[$count]['timestamp'] = sanitize_text_field($attr['timestamp']);
+                $rows[$count]['id'] = sanitize_text_field($attr['id']);
+                $rows[$count]['host'] = sanitize_text_field($attr['host']);
+                $rows[$count]['uri'] = sanitize_text_field($attr['url']);
+                $rows[$count]['referrer'] = sanitize_text_field($attr['referrer']);
                 $count++;
 

total-security/trunk/modules/class-process.php

@@ -4 +4 @@
 function __construct() {
               if (isset( $_POST['fdx_page']) ) {
-              add_filter('init', array( $this, 'fdx_update_post_settings') );
+              add_filter('init', array( $this, 'fdx_update_post_settings') );
               }
 
@@ -43 +43 @@
  */
 function fdx_update_post_settings() {
-           switch ( $_POST['fdx_page'] ) {
-                    case 'fdx_form_all':
+                   check_admin_referer( 'fdx_nonce' );
+                   switch ( $_POST['fdx_page'] ) {
+                    case 'fdx_form_all':
                     $this->fdx_process_all();
                     # first donation hidding time 'now'
@@ -66 +67 @@
                     break;
     }
+
 }
 

total-security/trunk/modules/inc-p6.php

@@ -31 +31 @@
 //form
 echo '<form method="post" action="">';
-      wp_nonce_field();
+      wp_nonce_field( 'fdx_nonce' );
 echo '<input type="hidden" name="fdx_page" value="fdx_form_all" />';
 
@@ -145 +145 @@
 echo '<div class="button_reset">';
 echo '<form method="post" action="">';
+wp_nonce_field( 'fdx_nonce' ); 
 echo '<input type="hidden" name="fdx_page" value="fdx_reset" />';
 echo submit_button( __('Restore Defaults', $this->hook ), 'secondary', 'Submit' , false, array( 'id' => 'space', 'onclick' => 'return confirm(\'' . esc_js( __( 'Restore Default Settings?',  $this->hook ) ) . '\');' ) );

total-security/trunk/readme.txt

@@ -4 +4 @@
 Donate link: https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=8DHY4NXW35T4Y
 Tags: security, scan ,scanner, hack, exploit, secure, malware, phishing, vulnerability, scours, unsafe, total, 404 log, error 404, stealth login, hidden login, Bookmarklet,Log Viewer, debug.log
-Requires at least: 4.5.2
-Tested up to: 4.5.2
-Stable tag: 3.4
+Requires at least: 4.5.3
+Tested up to: 4.5.3
+Stable tag: 3.4.1
 License: GPLv2 or later
 
@@ -124 +124 @@
 
 == Changelog ==
+* 3.4.1
+    * IMPROVED - Compatibility with WordPress 4.5.3
+    * FIX -  Persistent cross-site scripting (XSS) vulnerability
+    * FIX -  Settings change vulnerability
+
 * 3.4
     * NEW - New Test: SSL Logins and SSL Admin Access 

total-security/trunk/total-security.php

@@ -4 +4 @@
  * Plugin URI: http://fabrix.net/total-security/
  * Description: Checks your WordPress installation and provides detailed reporting on discovered vulnerabilities, anything suspicious and how to fix them.
- * Version: 3.4
+ * Version: 3.4.1
  * Author: Fabrix DoRoMo
  * Author URI: http://fabrix.net
@@ -14 +14 @@
 
 class Total_Security {
-        public $min_wp_ver          = '4.5.2'; //
-        public $pluginversion       = '3.4';
+        public $min_wp_ver          = '4.5.3'; //
+        public $pluginversion       = '3.4.1';
         public $pluginname          = 'Total Security';
         public $hook                = 'total-security';