All In One WP Security & Firewall - Version 4.4.2

Version Description

  • Fixed vulnerability related to open redirect and exposure of hidden login page for specific case. (Thanks to Erwan (wpscanteam) for letting us know)
Download this release

Release Info

Developer mra13
Plugin Icon 128x128 All In One WP Security & Firewall
Version 4.4.2
Comparing to
See all releases

Code changes from version 4.4.0 to 4.4.2

Files changed (7) hide show
  1. classes/wp-security-deactivation-tasks.php +2 -6
  2. classes/wp-security-debug-logger.php +1 -1
  3. classes/wp-security-installer.php +2 -2
  4. classes/wp-security-user-login.php +3 -2
  5. readme.txt +9 -1
  6. wp-security-core.php +5 -1
  7. wp-security.php +1 -1
classes/wp-security-deactivation-tasks.php CHANGED
@@ -19,9 +19,6 @@ class AIOWPSecurity_Deactivation
19
  global $wpdb;
20
  global $aio_wp_security;
21
 
22
- //Deactivate all firewall and other .htaccess rules
23
- AIOWPSecurity_Configure_Settings::turn_off_all_firewall_rules();
24
-
25
  if (AIOWPSecurity_Utility::is_multisite_install()){
26
  delete_site_transient('users_online');
27
  }
@@ -29,7 +26,6 @@ class AIOWPSecurity_Deactivation
29
  delete_transient('users_online');
30
  }
31
 
32
- //
33
  if (AIOWPSecurity_Utility::is_multisite_install() && $networkwide) {
34
  // check if it is a network activation
35
  $blogids = $wpdb->get_col("SELECT blog_id FROM $wpdb->blogs");
@@ -47,8 +43,8 @@ class AIOWPSecurity_Deactivation
47
 
48
  AIOWPSecurity_Deactivation::clear_cron_events();
49
  }
50
-
51
-
52
  }
53
 
54
  /**
19
  global $wpdb;
20
  global $aio_wp_security;
21
 
 
 
 
22
  if (AIOWPSecurity_Utility::is_multisite_install()){
23
  delete_site_transient('users_online');
24
  }
26
  delete_transient('users_online');
27
  }
28
 
 
29
  if (AIOWPSecurity_Utility::is_multisite_install() && $networkwide) {
30
  // check if it is a network activation
31
  $blogids = $wpdb->get_col("SELECT blog_id FROM $wpdb->blogs");
43
 
44
  AIOWPSecurity_Deactivation::clear_cron_events();
45
  }
46
+ //Deactivate all firewall and other .htaccess rules
47
+ AIOWPSecurity_Configure_Settings::turn_off_all_firewall_rules();
48
  }
49
 
50
  /**
classes/wp-security-debug-logger.php CHANGED
@@ -26,7 +26,7 @@ class AIOWPSecurity_Logger
26
 
27
  function get_debug_timestamp()
28
  {
29
- return '['.date('m/d/Y g:i A').'] - ';
30
  }
31
 
32
  function get_debug_status($level)
26
 
27
  function get_debug_timestamp()
28
  {
29
+ return '['.current_time( 'mysql' ).'] - ';
30
  }
31
 
32
  function get_debug_status($level)
classes/wp-security-installer.php CHANGED
@@ -186,14 +186,14 @@ class AIOWPSecurity_Installer
186
  //Let's copy the original configs back to the options table
187
  $updated = update_option('aio_wp_security_configs', $temp_cfgs);
188
  if (!$updated) {
189
- $aio_wp_security->debug_logger->log_debug("AIOWPSecurity_Installer::run_installer() - Update of option settings failed upon plugin activation!", 4);
190
  }
191
  $aio_wp_security->configs->configs = $temp_cfgs; //copy the original configs to memory
192
  //Now let's write any rules to the .htaccess file if necessary
193
  $res = AIOWPSecurity_Utility_Htaccess::write_to_htaccess();
194
 
195
  if ( !$res ) {
196
- $aio_wp_security->debug_logger->log_debug("AIOWPSecurity_Deactivation::run_deactivation_tasks() - Could not write to the .htaccess file. Please check the file permissions.", 4);
197
  return false;
198
  }
199
  delete_option('aiowps_temp_configs');
186
  //Let's copy the original configs back to the options table
187
  $updated = update_option('aio_wp_security_configs', $temp_cfgs);
188
  if (!$updated) {
189
+ $aio_wp_security->debug_logger->log_debug("AIOWPSecurity_Installer::reactivation_tasks() - Update of option settings failed upon plugin activation!", 4);
190
  }
191
  $aio_wp_security->configs->configs = $temp_cfgs; //copy the original configs to memory
192
  //Now let's write any rules to the .htaccess file if necessary
193
  $res = AIOWPSecurity_Utility_Htaccess::write_to_htaccess();
194
 
195
  if ( !$res ) {
196
+ $aio_wp_security->debug_logger->log_debug("AIOWPSecurity_Installer::reactivation_tasks() - Could not write to the .htaccess file. Please check the file permissions.", 4);
197
  return false;
198
  }
199
  delete_option('aiowps_temp_configs');
classes/wp-security-user-login.php CHANGED
@@ -451,7 +451,8 @@ class AIOWPSecurity_User_Login
451
  AIOWPSecurity_Utility::is_multisite_install() ? set_site_transient('aiowps_logout_payload', $after_logout_payload, 30 * 60) : set_transient('aiowps_logout_payload', $after_logout_payload, 30 * 60);
452
  $logout_url = AIOWPSEC_WP_URL.'?aiowpsec_do_log_out=1';
453
  $logout_url = AIOWPSecurity_Utility::add_query_data_to_url($logout_url, 'al_additional_data', '1');
454
- AIOWPSecurity_Utility::redirect_to_url($logout_url);
 
455
  }
456
  }
457
  }
@@ -509,7 +510,7 @@ class AIOWPSecurity_User_Login
509
  $data = array('logout_date' => $logout_date_time);
510
  $where = array('user_id' => $user_id,
511
  'login_ip' => $ip_addr,
512
- 'logout_date' => '1000-10-10 10:00:00');
513
  $result = $wpdb->update($login_activity_table, $data, $where);
514
  if ($result === FALSE)
515
  {
451
  AIOWPSecurity_Utility::is_multisite_install() ? set_site_transient('aiowps_logout_payload', $after_logout_payload, 30 * 60) : set_transient('aiowps_logout_payload', $after_logout_payload, 30 * 60);
452
  $logout_url = AIOWPSEC_WP_URL.'?aiowpsec_do_log_out=1';
453
  $logout_url = AIOWPSecurity_Utility::add_query_data_to_url($logout_url, 'al_additional_data', '1');
454
+ $logout_url_with_nonce = html_entity_decode(wp_nonce_url($logout_url, 'aio_logout'));
455
+ AIOWPSecurity_Utility::redirect_to_url($logout_url_with_nonce);
456
  }
457
  }
458
  }
510
  $data = array('logout_date' => $logout_date_time);
511
  $where = array('user_id' => $user_id,
512
  'login_ip' => $ip_addr,
513
+ 'logout_date' => '1000-10-00 10:00:00');
514
  $result = $wpdb->update($login_activity_table, $data, $where);
515
  if ($result === FALSE)
516
  {
readme.txt CHANGED
@@ -3,7 +3,7 @@ Contributors: Tips and Tricks HQ, wpsolutions, Peter Petreski, Ruhul Amin, mbrso
3
  Donate link: https://www.tipsandtricks-hq.com
4
  Tags: security, secure, Anti Virus, antivirus, ban, ban hacker, virus, firewall, firewall security, login, lockdown, htaccess, hack, malware, vulnerability, protect, protection, phishing, database, backup, plugin, sql injection, ssl, restrict, login captcha, bot, hotlink, 404 detection, admin, rename, all in one, scan, scanner, iframe,
5
  Requires at least: 4.7
6
- Tested up to: 5.2
7
  Stable tag: trunk
8
  License: GPLv3
9
 
@@ -183,6 +183,14 @@ https://www.tipsandtricks-hq.com/wordpress-security-and-firewall-plugin
183
  None
184
 
185
  == Changelog ==
 
 
 
 
 
 
 
 
186
  = 4.4.0 =
187
  - Added robustness to login lockdown feature by replacing the strtotime function with DateTime/DateInterval.
188
  This should prevent 32-bit systems from being constrained to the max date of 19 Jan 2038.
3
  Donate link: https://www.tipsandtricks-hq.com
4
  Tags: security, secure, Anti Virus, antivirus, ban, ban hacker, virus, firewall, firewall security, login, lockdown, htaccess, hack, malware, vulnerability, protect, protection, phishing, database, backup, plugin, sql injection, ssl, restrict, login captcha, bot, hotlink, 404 detection, admin, rename, all in one, scan, scanner, iframe,
5
  Requires at least: 4.7
6
+ Tested up to: 5.3
7
  Stable tag: trunk
8
  License: GPLv3
9
 
183
  None
184
 
185
  == Changelog ==
186
+
187
+ = 4.4.2 =
188
+ - Fixed vulnerability related to open redirect and exposure of hidden login page for specific case. (Thanks to Erwan (wpscanteam) for letting us know)
189
+
190
+ = 4.4.1 =
191
+ - Fixed bug where Apache directives were not being re-added into the .htaccess file after plugin re-activation.
192
+ - Fixed bug related to account activity logout date not being set.
193
+
194
  = 4.4.0 =
195
  - Added robustness to login lockdown feature by replacing the strtotime function with DateTime/DateInterval.
196
  This should prevent 32-bit systems from being constrained to the max date of 19 Jan 2038.
wp-security-core.php CHANGED
@@ -7,7 +7,7 @@ if ( !defined('ABSPATH') ) {
7
  if (!class_exists('AIO_WP_Security')){
8
 
9
  class AIO_WP_Security{
10
- var $version = '4.4.0';
11
  var $db_version = '1.9';
12
  var $plugin_url;
13
  var $plugin_path;
@@ -226,6 +226,10 @@ class AIO_WP_Security{
226
  global $aio_wp_security;
227
  if(isset($_GET['aiowpsec_do_log_out']))
228
  {
 
 
 
 
229
  wp_logout();
230
  if(isset($_GET['after_logout']))//Redirect to the after logout url directly
231
  {
7
  if (!class_exists('AIO_WP_Security')){
8
 
9
  class AIO_WP_Security{
10
+ var $version = '4.4.2';
11
  var $db_version = '1.9';
12
  var $plugin_url;
13
  var $plugin_path;
226
  global $aio_wp_security;
227
  if(isset($_GET['aiowpsec_do_log_out']))
228
  {
229
+ $nonce = isset($_GET['_wpnonce'])?$_GET['_wpnonce']:'';
230
+ if ( !wp_verify_nonce( $nonce, 'aio_logout' ) ) {
231
+ return;
232
+ }
233
  wp_logout();
234
  if(isset($_GET['after_logout']))//Redirect to the after logout url directly
235
  {
wp-security.php CHANGED
@@ -1,7 +1,7 @@
1
  <?php
2
  /*
3
  Plugin Name: All In One WP Security
4
- Version: 4.4.0
5
  Plugin URI: https://www.tipsandtricks-hq.com/wordpress-security-and-firewall-plugin
6
  Author: Tips and Tricks HQ, Peter Petreski, Ruhul, Ivy
7
  Author URI: https://www.tipsandtricks-hq.com/
1
  <?php
2
  /*
3
  Plugin Name: All In One WP Security
4
+ Version: 4.4.2
5
  Plugin URI: https://www.tipsandtricks-hq.com/wordpress-security-and-firewall-plugin
6
  Author: Tips and Tricks HQ, Peter Petreski, Ruhul, Ivy
7
  Author URI: https://www.tipsandtricks-hq.com/