Changeset 1782465

Timestamp:

12/07/2017 09:00:28 AM (8 years ago)

Author:

osexcel

Message:

7.1.3

• Bug fix : Update links

7.1.2

• Bug fix : detecting Joomla version ,change in the location of version.php file
• Bug fix :Fixed var management bug - add white listed vars to request back
• Updated version tags

Location:

ose-firewall/trunk

Files:

• assets/views/login.php (modified) (2 diffs)
• assets/views/whitelistmgmt.php (modified) (2 diffs)
• classes/App/Model/BaseModel.php (modified) (1 diff)
• classes/Library/fwscannerv7/fwscannerv7.php (modified) (13 diffs)
• classes/Library/fwscannerv7/fwstatsv7.php (modified) (2 diffs)
• classes/Library/oem/oem.php (modified) (2 diffs)
• ose_firewall_badge.php (modified) (1 diff)
• ose_wordpress_firewall.php (modified) (1 diff)
• readme.txt (modified) (2 diffs)

ose-firewall/trunk/assets/views/login.php

@@ -24 +24 @@
                 <div class="col-sm-4">
                     <div class="vs-line-1">
-                        <a href="https://www.centrora.com/services/subscribe">
+                        <a href="https://www.centrora.com/services/hosting-services-pricing">
                         <div id="fw-overview" class="vs-line-1-title fw-hover"> <i class="fa fa-shopping-cart"></i></div>
                         <div class="vs-line-1-number">
@@ -34 +34 @@
                 <div class="col-sm-4">
                     <div class="vs-line-1">
-                        <a href="https://www.centrora.com/services">
+                        <a href="https://www.centrora.com/services/hosting-services-pricing">
                         <div id="fw-overview" class="vs-line-1-title fw-hover"> <i class="fa fa-info-circle"></i></div>
                         <div class="vs-line-1-number">

ose-firewall/trunk/assets/views/whitelistmgmt.php

@@ -57 +57 @@
                                     <select class="form-control" id="statusfield" name ="statusfield">
                                         <option value="2"><?php oLang::_('O_SCANVARIABLES');?></option>
-                                        <option value="1"><?php oLang::_('O_FILTERVARIABLES');?></option>
                                         <option value="0"><?php oLang::_('O_WHITELISTVARIABLES');?></option>
                                     </select>
@@ -145 +144 @@
                                     <button data-target="#formModal" data-toggle="modal" class="upload-btns wl-btns"><i class="text-primary glyphicon glyphicon-plus-sign"></i> <?php oLang::_('ADD_A_VARIABLE'); ?></button>
                                     <button class="upload-btns wl-btns" type="button" onClick="changeBatchItemStatus('scan')"><i class="text-block glyphicon glyphicon-minus-sign"></i> <?php oLang::_('SCAN_VARIABLE'); ?></button>
-                                    <button class="upload-btns wl-btns" type="button" onClick="changeBatchItemStatus('filter')"><i class="text-yellow glyphicon glyphicon-eye-open"></i> <?php oLang::_('FILTER_VARIABLE'); ?></button>
                                     <button class="upload-btns wl-btns" type="button" onClick="changeBatchItemStatus('whitelist')"><i class="text-success glyphicon glyphicon-ok-sign"></i> <?php oLang::_('IGNORE_VARIABLE'); ?></button>
                                     <?php

ose-firewall/trunk/classes/App/Model/BaseModel.php

@@ -519 +519 @@
         return '<div class="row row-set" style="margin-top:14px;">
                                 <div class="col-sm-12" style="padding-left: 0px; padding-right: 20px;">
-                                 <a href="https://www.centrora.com/services/" target="_blank"><div class="call-to-action">
+                                 <a href="https://www.centrora.com/services/hosting-services-pricing" target="_blank"><div class="call-to-action">
                                     <div class="call-to-action-txt">
                                     <img width="35" height="35" alt="C_puma" src="'.OSE_FWPUBLICURL.'/images/C_puma.png"> &nbsp;

ose-firewall/trunk/classes/Library/fwscannerv7/fwscannerv7.php

@@ -64 +64 @@
     private $allowExts = array();
     protected $replaced = array();
+    protected  $detected_whitelistedVars = array();
+    protected  $orignal_request_backup = array();
 
     //run shell commands
@@ -808 +810 @@
         $subscription_status = oseFirewallBase::checkSubscriptionStatus(false);
         $this->type = $type;
-
         $request = $this->getRequestVariables($type);
         $this->original_request = $request; //store the value of original request
         $this->detected_pentest = false;
+        $this->orignal_request_backup = $request;
         if(is_array($request) && !empty($request))
         {
-            $flatarray = $this->array_flatten($request);
-
+            //remove white listed vars
+            $request_variablesfiltered = $this->removeWhiteListVariable($request,$type);
+            $flatarray = $this->array_flatten($request_variablesfiltered);
             $request_stringsfiltered = $this->hasWhiteListString();
             if(array_key_exists('accountpath',$flatarray))
@@ -822 +825 @@
             }
             if(!$request_stringsfiltered)
-           {
+            {
                //does not have any white list string
-               $request_variablesfiltered = $this->removeWhiteListVariable($flatarray);
-               //removed all the whitelisted variables
+               unset($request_variablesfiltered);
+               $request_variablesfiltered = $flatarray;
                if(!empty($request_variablesfiltered))
                {
@@ -866 +869 @@
                                if($this->detected_pentest== false)
                                {
-                                   $completereq = $this->getTheOriginalArrayStrucutre($request_variablesfiltered);
+                                   $temp_completereq = $this->getTheOriginalArrayStrucutre($request_variablesfiltered);
+                                   $completereq = $this->addWhiteListedVarsBack($temp_completereq);
                                    $this->setRequestVariables($completereq,$type);
                                }
                                else {
-                                   $completereq = $this->getTheOriginalArrayStrucutre($request_variablesfiltered_decoded);
+                                   $temp_completereq = $this->getTheOriginalArrayStrucutre($request_variablesfiltered_decoded);
+                                   $completereq = $this->addWhiteListedVarsBack($temp_completereq);
                                    $this->setRequestVariables($completereq,$type);
                                }
@@ -881 +886 @@
                                if($this->detected_pentest == false)
                                {
-                                   $completereq = $this->getTheOriginalArrayStrucutre($request_variablesfiltered);
+                                   $temp_completereq = $this->getTheOriginalArrayStrucutre($request_variablesfiltered);
+                                   $completereq = $this->addWhiteListedVarsBack($temp_completereq);
                                    $this->setRequestVariables($completereq,$type);
                                }else {
-                                   $completereq = $this->getTheOriginalArrayStrucutre($temp);
+                                   $temp_completereq = $this->getTheOriginalArrayStrucutre($temp);
+                                   $completereq = $this->addWhiteListedVarsBack($temp_completereq);
                                    $this->setRequestVariables($completereq,$type);
                                }
@@ -892 +899 @@
                    }
                    unset($this->completerequest);
+                   unset($this->detected_whitelistedVars);
 //                   return $result;
                    return false;
@@ -900 +908 @@
                  ////continue
                  //return true //safe to use
+                   unset($this->detected_whitelistedVars);
                    return true;
                }
@@ -905 +914 @@
            else{
                //white list string was detected
+               unset($this->detected_whitelistedVars);
                return true;
            }
@@ -911 +921 @@
         {
             return true;
+        }
+    }
+
+
+    //white list variables are removed from the scanning request
+    //add them back to make sure the white listed vars are not ignored in the final requets
+    public function addWhiteListedVarsBack($filtered_request)
+    {
+        if(!empty($this->detected_whitelistedVars))
+        {
+            foreach($this->detected_whitelistedVars as $whitelistedVarKey)
+            {
+                if(isset($this->orignal_request_backup[$whitelistedVarKey]))
+                {
+                    $filtered_request[$whitelistedVarKey] = $this->orignal_request_backup[$whitelistedVarKey];
+                }
+            }
+            return $filtered_request;
+        }else{
+            return $filtered_request;
         }
     }
@@ -1235 +1265 @@
 
     //check if the the white listed variables from the user exists in the request
-    public function removeWhiteListVariable($temp)
+    public function removeWhiteListVariable($temp,$type)
     {
         $variablelist = null;
@@ -1244 +1274 @@
         }else
         {
-            $whiteListVariables = $this->getWhiteListedVariables($variablelist);
+            $whiteListVariables = $this->getWhiteListedVariables($variablelist,$type);
             foreach($temp as $reqkey => $reqvalue)
             {
                 if(in_array(urldecode($reqkey),$whiteListVariables))
                 {
+                    array_push($this->detected_whitelistedVars,$reqkey);
                     unset($temp[$reqkey]);
                 }
@@ -1256 +1287 @@
     }
 
-    public function getWhiteListedVariables($variablelist)
+    public function getWhiteListedVariables($variablelist,$type)
     {
         $whiteListVariables = array();
@@ -1262 +1293 @@
         {
             $temp = explode('.',$record['variable']);
-            array_push($whiteListVariables,$temp[1]);
+            if($temp[0] == $type || $temp[0] == strtolower($type))
+            {
+                array_push($whiteListVariables,$temp[1]);
+            }
         }
         return $whiteListVariables;

ose-firewall/trunk/classes/Library/fwscannerv7/fwstatsv7.php

@@ -185 +185 @@
         if(is_array($valuesArray))
         {
-            $strings = implode("<br/>",$valuesArray);
+            if(count($valuesArray) == 1)
+            {
+                $temp_strings = explode('#',$valuesArray[0]);
+                $strings = $temp_strings[0];
+            }else{
+                $temp_string = $valuesArray;
+                $strings = implode("",$temp_string);
+            }
             $finalString = '<td class=\'shrink\' ><a href=\'javascript:void(0);\' title = \'Click to white List the variable\' onClick="whitelist_confirm(\'' . $strings . '\')">'.$strings."</a></td>";
             return $finalString;
@@ -193 +200 @@
                 $finalString = '<td class=\'shrink\'>'.$valuesArray."</a></td>";
             }else{
-                $finalString = '<td class=\'shrink\' ><a href=\'javascript:void(0);\' title = \'Click to white List the variable\' onClick="whitelist_confirm(\'' . $valuesArray . '\')">'.$valuesArray."</a></td>";
+                $temp_strings = explode('#',$valuesArray[0]);
+                $finalString = '<td class=\'shrink\' ><a href=\'javascript:void(0);\' title = \'Click to white List the variable\' onClick="whitelist_confirm(\'' . $temp_strings[0] . '\')">'.$temp_strings[0]."</a></td>";
             }
             return $finalString;

ose-firewall/trunk/classes/Library/oem/oem.php

@@ -99 +99 @@
                         <li><a href="https://www.centrora.com/my-account" title="My Account"><i class="glyphicon glyphicon-user"></i> <span class="hidden-xs hidden-sm hidden-md">My Account</span> </a></li>
                         <li><a href="https://www.centrora.com/support" id="support-center" title="Support"><i class="glyphicon glyphicon-cd"></i> <span class="hidden-xs hidden-sm hidden-md">Support</span></a></li>
-                        <li><a href="https://www.centrora.com/services/subscribe" title="Subscription"><i class="glyphicon glyphicon-share-alt"></i> <span class="hidden-xs hidden-sm hidden-md">Subscription</span></a></li>
+                        <li><a href="https://www.centrora.com/services/hosting-services-pricing" title="Subscription"><i class="glyphicon glyphicon-share-alt"></i> <span class="hidden-xs hidden-sm hidden-md">Subscription</span></a></li>
                         <li><a href="https://docs.centrora.com/en/latest/" title="Tutorial"><i class="glyphicon glyphicon-book"></i> <span class="hidden-xs hidden-sm hidden-md">Tutorial</span></a></li>
-                        <li><a href="https://www.centrora.com/services" title="Malware Removal"><i class="glyphicon glyphicon-screenshot"></i> <span class="hidden-xs hidden-sm hidden-md">Malware Removal</span></a></li>';
+                        <li><a href="https://www.centrora.com/services/hosting-services-pricing" title="Malware Removal"><i class="glyphicon glyphicon-screenshot"></i> <span class="hidden-xs hidden-sm hidden-md">Malware Removal</span></a></li>';
             return $urls;
         }
@@ -245 +245 @@
             if (!(defined('OSE_OEM_URL_PREMIUM_TUT'))) define('OSE_OEM_URL_PREMIUM_TUT', 'https://docs.centrora.com/en/latest/activate-premium.html');
             if (!(defined('OSE_OEM_URL_AFFILIATE'))) define('OSE_OEM_URL_AFFILIATE', 'https://www.centrora.com/services/affiliate');
-            if (!(defined('OSE_OEM_URL_SUBSCRIBE'))) define('OSE_OEM_URL_SUBSCRIBE', 'https://www.centrora.com/services/subscribe');
+            if (!(defined('OSE_OEM_URL_SUBSCRIBE'))) define('OSE_OEM_URL_SUBSCRIBE', 'https://www.centrora.com/services/hosting-services-pricing');
             if (!(defined('OSE_OEM_LANG_TAG'))) define('OSE_OEM_LANG_TAG','');
         }

ose-firewall/trunk/ose_firewall_badge.php

@@ -4 +4 @@
    Description: Plugin For Showing Centrora Security Badge 
    Author: Centrora Security
-   Version: 7.1.1
+   Version: 7.1.3
 */
 include(dirname(__FILE__).'/includes/oseBadgeWidget.php');

ose-firewall/trunk/ose_wordpress_firewall.php

@@ -5 +5 @@
 Description: Centrora Security (previously OSE Firewall) - A WordPress Security Firewall plugin created by Centrora. Protect your WordPress site by identify any malicious codes, spam, virus, SQL injection, and security vulnerabilities.
 Author: Centrora (Previously ProWeb)
-Version: 7.1.1
+Version: 7.1.3
 Author URI: http://www.centrora.com/
 */

ose-firewall/trunk/readme.txt

@@ -6 +6 @@
 Requires at least: 3.7
 Tested up to: 4.8.2
-Stable tag: 7.1.1
+Stable tag: 7.1.3
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
@@ -170 +170 @@
 
 == Changelog ==
+
+= 7.1.3 =
+* Bug fix : Update links
+
+= 7.1.2 =
+* Bug fix : detecting Joomla version ,change in the location of version.php file
+* Bug fix :Fixed var management bug - add white listed vars to request back
+* Updated version tags
 
 = 7.1.1 =