Changeset 475315

Timestamp:

12/14/2011 11:35:05 AM (13 years ago)

Author:

blogrescue

Message:

Plugged security vulnerabilities, changed Snapshot Everything to Snapshot Everything New, Changed items now display new file details also.

Location:

wordpress-sentinel/trunk

Files:

• readme.txt (modified) (6 diffs)
• screenshot-1.png (added)
• screenshot-2.png (added)
• wordpress_sentinel.php (modified) (13 diffs)

wordpress-sentinel/trunk/readme.txt

@@ -5 +5 @@
 Requires at least: 3.0
 Tested up to: 3.3
-Stable tag: 1.0.0
+Stable tag: 1.0.1
 
-This plugin acts as a sentinel that watches over your core Wordpress programs, as well as installed themes and plugins.  It periodically checks things and lets you know when anything changes.
+This plugin acts as a sentinel that watches over your core Wordpress programs (plus installed themes and plugins) and tells you when changes happen.
 
 == Description ==
@@ -19 +19 @@
 1. Install the plugin
 2. Select the plugin option under the Settings menu
-3. Press the Snapshot Everything button
+3. Press the <strong>Snapshot Everything New</strong> button
 
 This causes the plugin to scan the Wordpress install and track details on all files used by Wordpress, as well as for all installed plugins and themes.
 
-It is also possible to disable watching specific files.  This is done in the detail view by clicking on the Eye Icon next to the filename.  A crossed out Eye Icon will appear and the status will change to "Not Watched".  To enable watching on that file, just click on the crossed out Eye Icon.
+It is also possible to disable watching specific files.  This is done in the detail view by clicking on the Eye Icon next to the filename.  A crossed out Eye Icon will appear and the status will change to <strong>Not Watched</strong>.  To enable watching on that file, just click on the crossed out Eye Icon.
 
 == Frequently Asked Questions ==
@@ -33 +33 @@
 If you are hacked, there are four questions that you have to address:
 
-How did they get in?
-What did they change?
-How do I undo the damage that was done?
-How do I prevent them from getting in again?
+1. How did they get in?
+2. What did they change?
+3. How do I undo the damage that was done?
+4. How do I prevent them from getting in again?
+
 The purpose of this plugin is to alert you when you have been hacked and to address questions 2 & 3. Wordpress Sentinel acts as a watchdog that knows how your install is supposed to look and then alert you when something gets changed.
 
@@ -43 +44 @@
 First, install the plugin and go to the Wordpress Sentinel option under Settings. It should list content under Wordpress, Themes and Plugins.
 
-Second, click the "Snapshot Everything" button, and every file in your Wordpress install, as well as installed Themes and Plugins will be catalogued.
+Second, click the <strong>Snapshot Everything New</strong> button, and every file in your Wordpress install, as well as installed Themes and Plugins will be catalogued.
 
-Periodically, the plugin will check a portion of the items for which snapshots have been taken. If any changes are detected, an administrative message will be displayed in Wordpress Admin. If this happens, go back to the Wordpress Sentinel option under Settings. The offending item will be marked as "Changed" in Red. If you click details, you can see what files have been changed and you can determine if this was a valid change or an intrusion and take the appropriate action.
+Periodically, the plugin will check a portion of the items for which snapshots have been taken. If any changes are detected, an administrative message will be displayed in Wordpress Admin. If this happens, go back to the Wordpress Sentinel option under Settings. The offending item will be marked as <strong>Changed</strong>. If you click details, you can see what files have been changed and you can determine if this was a valid change or an intrusion and take the appropriate action.
 
 = What if I'm the one making changes? =
 
-Obviously, the plugin isn't watching what you are doing, so if you make changes to a Theme or install a new Plugin, or even Upgrade Wordpress to a newer version, it is going to notice that something changed and let you know. When this happens (and it will happen), just go to the Wordpress Sentinel option, find the item that you changed or added, and Refresh the Snapshot. (The "Snapshot Everything" button should never be used except when the plugin is first installed.)
+Obviously, the plugin cannot differentiate between a good change and a bad change, so if you make changes to a Theme or install a new Plugin, or even Upgrade Wordpress to a newer version, it is simply going to notice the change and let you know. When this happens (and it will happen), just go to the Wordpress Sentinel option, find the item that you changed or added, and Refresh the Snapshot. (The <strong>Snapshot Everything New</strong> button is a handy way to create initial snapshots after installing new themes and plugins.  It does not touch items which have previously been catalogued.)
 
 = It is complaining because my sitemap updated - How do I fix this? =
@@ -56 +57 @@
 
 1. Go to the Wordpress Sentinel interface
-2. Under Wordpress Root, click the Detail link
-3. Find sitemap.xml in the list and click on the Eye Icon to the left of the filename
-4. Find sitemap.xml.gz (if it exists) in the list and click on the Eye Icon to the left of the filename
-5. Click the Back link to get back to the Sentinel main screen
-6. Under Wordpress Root, click the Perform Check link
+2. Under Wordpress Root, click the <strong>Detail</strong> link
+3. Find <em>sitemap.xml</em> in the list and click on the Eye Icon to the left of the filename
+4. Find <em>sitemap.xml.gz</em> (if it exists) in the list and click on the Eye Icon to the left of the filename
+5. Click the <strong>Back</strong> link to get back to the Sentinel main screen
+6. Under Wordpress Root, click the <strong>Perform Check</strong> link
 
 The same process can be used to disable watching any specific file.
@@ -75 +76 @@
 
 That is really beyond the scope of this plugin. The best course of action is to keep Wordpress as well as all plugins and themes up to date. If you know the time the hack occurred (and this plugin helps you determine that) then it is also a good idea to have an Analyst look through your server logs and try to isolate the entry point.
+
+== Screenshots ==
+
+1. Wordpress Sentinel Administration Screen - shows all Top Level items (Wordpress Core, Themes, Plugins) and status for each.
+2. Item detail screen (In this screenshot: Wordpress Root)
+
+== Changelog ==
+
+= 1.0.1 =
+* Fixed Security vulnerabilities, thanks to Julio from <a href='boiteaweb.fr'>boiteaweb.fr</a>.
+* Changed "Snapshot Everything" button to "Snapshot Everything New" to prevent untentional overwriting of existing snapshot data.
+* Changed Detail so it also shows current file information (size and date) in red below the snapshot values.
+
+= 1.0.0 =
+* Initial Plugin Release
+
+== Upgrade Notice ==
+
+= 1.0.1 =
+This new release plugs several potential security holes.  Please Upgrade Immediately.

wordpress-sentinel/trunk/wordpress_sentinel.php

@@ -6 +6 @@
 Plugin Name: Wordpress Sentinel
 Plugin URI: http://blogrescue.com/2011/12/new-plugin-wp-sentinel/
-Description: This plugin acts as a sentinel that watches your Wordpress install and notifies you when it is updated.
-Version: 1.0.0
+Description: Watches over your install and alerts you when changes are made. <a href="options-general.php?page=wordpress_sentinel">Administration Panel</a> | <a href="https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=GFVCGSUFKX2CU">Donate</a>
+Version: 1.0.1
 Author: Blogrescue.com
 Author URI: http://blogrescue.com
@@ -105 +105 @@
     print '<h2>Wordpress Sentinel</h2>';
     print "<div style='text-align:center;'>";
-    print "<a href='".$this->url('snapshot', array('section'=>'all'))."' class='button'>".
-      "Snapshot Everything</a>";
+    
+    $snapshot_url = $this->url('snapshot', array('section'=>'all'));
+    $snapshot_link = ( function_exists('wp_nonce_url') ) ? wp_nonce_url($snapshot_url, 'sentinel-snapshot-all') : $snapshot_url;
+    print "<a href='$snapshot_link' class='button'>".
+      "Snapshot Everything New</a>";
+      
     print "&nbsp;&nbsp;&nbsp;&nbsp;";
-    print "<a href='".$this->url('check', array('section'=>'all'))."' class='button'>Check Everything</a>";
+    
+    $check_url = $this->url('check', array('section'=>'all'));
+    $check_link = ( function_exists('wp_nonce_url') ) ? wp_nonce_url($check_url, 'sentinel-check-all') : $check_url;
+    print "<a href='$check_link' class='button'>Check Everything</a>";
+    
     print "&nbsp;&nbsp;&nbsp;&nbsp;";
     print "<a href='".$this->url('help')."' class='button'>How Does This Work?</a>";
@@ -114 +122 @@
 
     $admin_home = true;
-    $action = $this->value($this->args, 'action');
-    $section_id = $this->value($this->args, 'section');
+    $action = $this->arg('action');
+    $section_id = $this->arg('section', '0');
+    $section_id_intval = intval($section_id);
 
     if($action == 'snapshot') {
-      if($section_id == 'all')
-        $this->build_all_snapshots();
-      else 
-        $this->build_snapshot($section_id);
+      if($section_id == 'all') {
+        check_admin_referer('sentinel-snapshot-all');
+        $this->build_all_new_snapshots();
+      } else {
+        check_admin_referer('sentinel-snapshot-'.$section_id_intval);
+        $this->build_snapshot($section_id_intval);
+      }
+      
     } else if($action == 'details' && $section_id > 0) {
-      $admin_home = $this->view_details($section_id);
+      check_admin_referer('sentinel-details-'.$section_id_intval);
+      $admin_home = $this->view_details($section_id_intval);
+      
     } else if($action == 'check') {
-      if($section_id == 'all')
+      if($section_id == 'all') {
+        check_admin_referer('sentinel-check-all');
         $this->check_all_sections();
-      else 
-        $this->check_section($section_id);
+      } else {
+        check_admin_referer('sentinel-check-'.$section_id_intval);
+        $this->check_section($section_id_intval);
+      }
+      
     } else if($action == 'help') {
       $this->show_help();
@@ -167 +186 @@
 
   function display_section_name($section) {
+    $details_url = $this->url('details', array('section'=>$section->id));
+    $details_link = ( function_exists('wp_nonce_url') ) ? wp_nonce_url($details_url, 'sentinel-details-'.$section->id) : $details_url;
+    
+    $snapshot_url = $this->url('snapshot', array('section'=>$section->id));
+    $snapshot_link = ( function_exists('wp_nonce_url') ) ? wp_nonce_url($snapshot_url, 'sentinel-snapshot-'.$section->id) : $snapshot_url;
+    
+    $check_url = $this->url('check', array('section'=>$section->id));
+    $check_link = ( function_exists('wp_nonce_url') ) ? wp_nonce_url($check_url, 'sentinel-check-'.$section->id) : $check_url;
+  
     $output = "<strong>".$section->name."</strong><br />( ";
     if($section->state != WPS_STATE_NEW)
-      $output .= "<a href='".$this->url('details', array('section'=>$section->id))."'>Details</a> | ";
+      $output .= "<a href='$details_link'>Details</a> | ";
     $snap = ($section->state == WPS_STATE_NEW ? "Create Snapshot" : "Refresh Snapshot");
-    $output .= "<a href='".$this->url('snapshot', array('section'=>$section->id))."'>$snap</a> | ";
-    $output .= "<a href='".$this->url('check', array('section'=>$section->id))."'>Perform Check</a>";
+    $output .= "<a href='$snapshot_link'>$snap</a> | ";
+    $output .= "<a href='$check_link'>Perform Check</a>";
     $output .= " )";
 
@@ -189 +217 @@
   <h3>How do I use it?</h3>
   <p>First, install the plugin and go to the Wordpress Sentinel option under Settings.  It should list content under Wordpress, Themes and Plugins.</p>
-  <p>Second, click the "Snapshot Everything" button, and every file in your Wordpress install, as well as installed Themes and Plugins will be catalogued.</p>
-  <p>Periodically, the plugin will check a portion of the items for which snapshots have been taken.  If any changes are detected, an administrative message will be displayed in Wordpress Admin.  If this happens, go back to the Wordpress Sentinel option under Settings.  The offending item will be marked as "Changed" in Red.  If you click details, you can see what files have been changed and you can determine if this was a valid change or an intrusion and take the appropriate action.</p>
+  <p>Second, click the <strong>Snapshot Everything New</strong> button, and every file in your Wordpress install, as well as installed Themes and Plugins will be catalogued.</p>
+  <p>Periodically, the plugin will check a portion of the items for which snapshots have been taken. If any changes are detected, an administrative message will be displayed in Wordpress Admin. If this happens, go back to the Wordpress Sentinel option under Settings. The offending item will be marked as <span style='font-weight:bold;color:red;'>Changed</span>. If you click details, you can see what files have been changed and you can determine if this was a valid change or an intrusion and take the appropriate action..</p>
   <h3>What if I'm the one making changes?</h3>
-  <p>Obviously, the plugin isn't watching what you are doing, so if you make changes to a Theme or install a new Plugin, or even Upgrade Wordpress to a newer version, it is going to notice that something changed and let you know.  When this happens (and it will happen), just go to the Wordpress Sentinel option, find the item that you changed or added, and Refresh the Snapshot. (The "Snapshot Everything" button should never be used except when the plugin is first installed.)</p>
+  <p>Obviously, the plugin cannot differentiate between a good change and a bad change, so if you make changes to a Theme or install a new Plugin, or even Upgrade Wordpress to a newer version, it is simply going to notice the change and let you know. When this happens (and it will happen), just go to the Wordpress Sentinel option, find the item that you changed or added, and Refresh the Snapshot. (The <strong>Snapshot Everything New</strong> button is a handy way to create initial snapshots after installing new themes and plugins.  It does not touch items which have previously been catalogued.)</p>
+  <h3>It is complaining because my sitemap updated - How do I fix this?</h3>
+  To stop watching your sitemap files, do the following:
+  <ol>
+  <li>Go to the Wordpress Sentinel interface</li>
+  <li>Under <em>Wordpress Root</em>, click the <strong>Detail</strong> link</li>
+  <li>Find <em>sitemap.xml</em> in the list and click on the Eye Icon to the left of the filename</li>
+  <li>Find <em>sitemap.xml.gz</em> (if it exists) in the list and click on the Eye Icon to the left of the filename</li>
+  <li>Click the <strong>Back</strong> link to get back to the Sentinel main screen</li>
+  <li>Under Wordpress Root, click the <strong>Perform Check</strong> link</li>
+  </ol>
+  The same process can be used to disable watching any specific file.
   <h3>What do I do if I really have been hacked?</h3>
   <p>The first thing to do is to look at the Wordpress Sentinel page and figure out what items have been changed.  Take a screenshot and then look at the details of those items to see what files have been affected.  If Wordpress is changed, you need to replace every file that is changed, although usually removing the existing install and replacing it with a clean install is the best course.</p>
@@ -198 +237 @@
   <p>If a theme has been corrupted, then things may get complicated.  If it is a stock theme that can be removed and reinstalled, then do that.  If it is a custom theme, then every modified file needs to be carefully examined and cleaned up.  You may need someone with advanced skills in site development to help separate the template content from the injected code.</p>
   <h3>How do I stop the hacker from getting back in?</h3>
-  <p>That is really beyond the scope of this plugin.  The best course of action is to keep Wordpress as well as all plugins and themes up to date.  If you know the time the hack occurred (and this plugin helps you determine that) then it is also a good idea to have an Analyst look through your server logs and try to isolate the entry point.</p>
+  <p>That is really beyond the scope of this plugin.  The best course of action is to keep Wordpress as well as all plugins and themes up to date.  If you know the time the hack occurred (and this plugin can help you determine that) then it is also a good idea to have an Analyst look through your server logs and try to isolate the entry point.</p>
   <br /><br />
   Hope this plugin helps, and if you do need advanced help recovering from a hack or any other Wordpress assistance, feel free to contact me at <strong>[email protected]</strong>.
@@ -235 +274 @@
   function view_details($section_id) {
     global $wpdb; 
-    $sql = "SELECT * FROM ".$wpdb->prefix."wordpresssentinel_section WHERE section_id = $section_id";
-    $section_row = $wpdb->get_row($wpdb->prepare($sql, $this->type, $this->name, $this->location));
+    $sql = "SELECT * FROM ".$wpdb->prefix."wordpresssentinel_section WHERE section_id = %d";
+    $section_row = $wpdb->get_row($wpdb->prepare($sql, (int)$section_id));    
     
     if($section_row == null) {
@@ -244 +283 @@
     }
 
-    if(isset($this->args['watch'])) $this->set_file_watch_status($this->args['watch'], 1);
-    if(isset($this->args['nowatch'])) $this->set_file_watch_status($this->args['nowatch'], 0);
+    if(isset($this->args['watch'])) {
+      $this->set_file_watch_status($this->arg('watch'), 1);
+    }
+    if(isset($this->args['nowatch'])) {
+      $this->set_file_watch_status($this->arg('nowatch'), 0);
+    }
     
     print "<a href='".$this->url()."'>&laquo; Back</a>";
@@ -260 +303 @@
       $icon = $section_file->watch ? "watch.png" : "nowatch.png";
       $action = $section_file->watch ? "nowatch" : "watch";
-      $watch = "<a href='".$this->url('details',array('section'=>$section_id,$action=>$section_file->file_id))."'>".
-        "<img src='".plugins_url("images/$icon" , __FILE__ )."' width='16'></a>";
+      $link = $this->url('details',array('section'=>$section_id,$action=>$section_file->file_id));
+      $action_link = ( function_exists('wp_nonce_url') ) ? wp_nonce_url($link, 'sentinel-details-'.intval($section_id)) : $link;
+      
+      $alt_size = '';
+      $alt_date = '';
+      $alt_state = '';
+      if($section_file->status == WPS_STATE_CHANGED) {
+        $alt_size = "<br /><span style='color:red;'>".$section_file->changed_size."</span>";
+        $alt_date = "<br /><span style='color:red;'>".$section_file->changed_date."</span>";
+        $alt_state = "<br /><span style='color:red;'>&laquo; To</span>";
+      }
+
+      $watch = "<a href='$action_link'><img src='".plugins_url("images/$icon" , __FILE__ )."' width='16'></a>";
       print "<tr>";
       print "<td>$watch&nbsp;&nbsp;".$section_file->location."</td>";
-      print "<td>".$section_file->size."</td>";
-      print "<td>".$section_file->update_date."</td>";
-      print "<td>".$this->states[$section_file->status]."</td>";
+      print "<td>".$section_file->size.$alt_size."</td>";
+      print "<td>".$section_file->update_date.$alt_date."</td>";
+      print "<td>".$this->states[$section_file->status].$alt_state."</td>";
       print "</tr>";
     }
@@ -277 +331 @@
     global $wpdb;
     $wpdb->update($wpdb->prefix.'wordpresssentinel_file', 
-      array('watch'=>$watch_status), array('file_id'=>$file_id));
-  }
-
-  function build_all_snapshots() {
+      array('watch'=>$watch_status), array('file_id'=>intval($file_id)));
+  }
+
+  function build_all_new_snapshots() {
+    $update_list = array();
     $all_sections = array_merge($this->base, $this->themes, $this->plugins);
+    
     foreach($all_sections as $section) {
-      $this->build_snapshot($section->id, false);
-    }
-    print "<div id='message' class='updated' style='margin-top:8px;'><p>Snapshots Updated for <strong>Everything</p></strong></div>";
+      if($section->state == WPS_STATE_NEW) {
+        $this->build_snapshot($section->id, false);
+        $update_list[] = $section->name;
+      }
+    }
+    print "<div id='message' class='updated' style='margin-top:8px;'><p>Snapshots Updated for: <strong>".
+      (count($update_list) ? join(", ", $update_list) : "No New Items Found") ."</p></strong></div>";
   }
   
   function build_snapshot($section_id, $display_message = true) {
     global $wpdb; 
-    $sql = "SELECT * FROM ".$wpdb->prefix."wordpresssentinel_section WHERE section_id = $section_id";
-    $section_row = $wpdb->get_row($wpdb->prepare($sql, $this->type, $this->name, $this->location));
+    $sql = "SELECT * FROM ".$wpdb->prefix."wordpresssentinel_section WHERE section_id = %d";
+    $section_row = $wpdb->get_row($wpdb->prepare($sql, (int)$section_id));    
     
     if($section_row == null) {
@@ -362 +422 @@
   function check_section($section_id, $display_message = true) {
     global $wpdb; 
-    $sql = "SELECT * FROM ".$wpdb->prefix."wordpresssentinel_section WHERE section_id = $section_id";
-    $section_row = $wpdb->get_row($wpdb->prepare($sql, $this->type, $this->name, $this->location));
+    $sql = "SELECT * FROM ".$wpdb->prefix."wordpresssentinel_section WHERE section_id = %d";
+    $section_row = $wpdb->get_row($wpdb->prepare($sql, (int)$section_id));    
     
     if($section_row == null) {
@@ -493 +553 @@
     
       foreach($url_args as $key=>$val) {
-        if(!in_array($key, $skip)) $url_result .= "&$key=$val";
+        if(!in_array($key, $skip)) $url_result .= "&".esc_html($key)."=".esc_html($val);
       }
     }
       
     return $url_result;
+  }
+  
+  function arg($key, $default='') {
+    $value = esc_html($this->value($this->args, $key, $default));
+    return ($value);
   }
 
@@ -505 +570 @@
 
   function parse_uri() {
-    $this->uri = preg_replace('/\?.*$/', '', $_SERVER['REQUEST_URI']);
+    $this->uri = preg_replace('/\?.*$/', '', esc_html($_SERVER['REQUEST_URI']));
     parse_str($_SERVER['QUERY_STRING'], $this->args);
   }