Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 21 Apr 2016 09:12:29 +0100
From: Sysdream Labs <labs@...dream.com>
To: oss-security@...ts.openwall.com, fulldisclosure@...lists.org
Subject: Wordpress iThemes Security (Better WP Security) Insecure
 Backup/Logfile Generation (predicatable filename)

Wordpress iThemes Security (Better WP Security) Insecure Backup/Logfile Generation (predicatable filename)
==========================================================================================================


Description
===========

When using the "database backup/logging on filesystem" feature, iThemes security generates a weak filename allowing attackers to obtain the backup/log file if they know when the backup/log file was generated (timestamp).

**Access Vector**: remote

**Security Risk**: medium

**Vulnerability**: CWE-330

**CVSS Base Score**: 7.5


---------------
Vulnerable code
---------------

The vulnerable code is located at core/modules/backup/class-itsec-backup.php, line 244 :

        $file = 'backup-' . substr( sanitize_title( get_bloginfo( 'name' ) ), 0, 20 ) . '-' . $current_time . '-' . ITSEC_Lib::get_random( mt_rand( 5, 10 ) );

In core/class-itsec-logger.php, line  :

        $itsec_globals['settings']['log_info'] = substr( sanitize_title( get_bloginfo( 'name' ) ), 0, 20 ) . '-' . ITSEC_Lib::get_random( mt_rand( 0, 10 ) );


In core/class-itsec-lib.php, function get_random, line 415:

        public static function get_random( $length, $base32 = false, $special_chars = false ) {

                if ( true === $base32 ) {

                        $string = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567';

                } else {

                        $string = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';

                        if ( true === $special_chars ) {

                                $string .= '_)(*&^%$#@...:;<>,.?/{}[]|';

                        }

                }

                return substr( str_shuffle( $string ), mt_rand( 0, strlen( $string ) - $length ), $length );

        }


The str_shuffle should *never* be used for generating secure strings as it uses the PHP rand() function and just shuffles the characters' position.

--------
Solution
--------

Make sure to generate non-predictable strings, using cryptographically secure generators. 
Update iThemes Security to version >= 5.3.1

Affected versions
=================

* iThemes Security <= 5.3.0

Timeline (dd/mm/yyyy)
=====================

* 26/02/2016 : Initial contact with iThemes.
* 26/02/2016 : iThemes confirms the vulnerabilities.
* 29/02/2016 : iThemes publishes a new version (5.3.1) of iThemes Security that fixes the vulnerabilities.

Credits
=======

* Nicolas CHATELAIN, Sysdream (n.chatelain -at- sysdream -dot- com)



-- 
SYSDREAM Labs <labs@...dream.com>

GPG :
47D1 E124 C43E F992 2A2E
1551 8EB4 8CD9 D5B2 59A1

* Website: https://sysdream.com/
* Twitter: @sysdream


Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ