iThemes Security (formerly Better WP Security) - Version 7.0.4

Version Description

  • Enhancement: Add mitigation for the WordPress Attachment File Traversal and Deletion vulnerability.
  • Tweak: Fire a WordPress action whenever settings are updated.
  • Bug Fix: Improved input sanitization on the logs page to prevent triggering warnings.
Download this release

Release Info

Developer TimothyBlynJacobs
Plugin Icon 128x128 iThemes Security (formerly Better WP Security)
Version 7.0.4
Comparing to
See all releases

Code changes from version 7.0.3 to 7.0.4

Files changed (11) hide show
  1. better-wp-security.php +1 -1
  2. core/admin-pages/logs-list-table.php +1 -1
  3. core/history.txt +4 -0
  4. core/lib/log-util.php +0 -1
  5. core/lib/settings.php +24 -22
  6. core/modules/global/active.php +20 -1
  7. core/modules/wordpress-tweaks/settings-page.php +8 -0
  8. core/modules/wordpress-tweaks/settings.php +1 -0
  9. core/modules/wordpress-tweaks/validator.php +1 -0
  10. history.txt +4 -0
  11. readme.txt +8 -3
better-wp-security.php CHANGED
@@ -6,7 +6,7 @@
6
  * Description: Take the guesswork out of WordPress security. iThemes Security offers 30+ ways to lock down WordPress in an easy-to-use WordPress security plugin.
7
  * Author: iThemes
8
  * Author URI: https://ithemes.com
9
- * Version: 7.0.3
10
  * Text Domain: better-wp-security
11
  * Network: True
12
  * License: GPLv2
6
  * Description: Take the guesswork out of WordPress security. iThemes Security offers 30+ ways to lock down WordPress in an easy-to-use WordPress security plugin.
7
  * Author: iThemes
8
  * Author URI: https://ithemes.com
9
+ * Version: 7.0.4
10
  * Text Domain: better-wp-security
11
  * Network: True
12
  * License: GPLv2
core/admin-pages/logs-list-table.php CHANGED
@@ -268,7 +268,7 @@ final class ITSEC_Logs_List_Table extends ITSEC_WP_List_Table {
268
  $hidden_fields = array( 'id' );
269
  $sortable_columns = $this->get_sortable_columns();
270
 
271
- if ( isset( $_GET['orderby'], $_GET['order'] ) ) {
272
  if ( preg_match( '/^[a-z_]+$/', $_GET['orderby'] ) ) {
273
  $sort_by_column = $_GET['orderby'];
274
  } else {
268
  $hidden_fields = array( 'id' );
269
  $sortable_columns = $this->get_sortable_columns();
270
 
271
+ if ( isset( $_GET['orderby'], $_GET['order'] ) && is_string( $_GET['orderby'] ) && is_string( $_GET['order'] ) ) {
272
  if ( preg_match( '/^[a-z_]+$/', $_GET['orderby'] ) ) {
273
  $sort_by_column = $_GET['orderby'];
274
  } else {
core/history.txt CHANGED
@@ -722,3 +722,7 @@
722
  4.6.4 - 2018-06-18 - Chris Jean & Timothy Jacobs
723
  Security Fix: Fixed SQL injection vulnerability in the logs page. Note: Admin privileges are required to exploit this vulnerability. Thanks to Çlirim Emini, Penetration Tester at sentry.co.com, for reporting this vulnerability.
724
  Bug Fix: Provide default values for enabled requirements.
 
 
 
 
722
  4.6.4 - 2018-06-18 - Chris Jean & Timothy Jacobs
723
  Security Fix: Fixed SQL injection vulnerability in the logs page. Note: Admin privileges are required to exploit this vulnerability. Thanks to Çlirim Emini, Penetration Tester at sentry.co.com, for reporting this vulnerability.
724
  Bug Fix: Provide default values for enabled requirements.
725
+ 4.6.5 - 2018-06-27 - Chris Jean & Timothy Jacobs
726
+ Enhancement: Add mitigation for the WordPress Attachment File Traversal and Deletion vulnerability.
727
+ Tweak: Fire a WordPress action whenever settings are updated.
728
+ Bug Fix: Improved input sanitization on the logs page to prevent triggering warnings.
core/lib/log-util.php CHANGED
@@ -84,7 +84,6 @@ final class ITSEC_Log_Util {
84
  if ( in_array( $sort_by, $valid_columns ) ) {
85
  $sort_by_column[$index] = "$sort_by DESC";
86
  } else if ( ! preg_match( "/^$regex_valid_columns\s+(?:DESC|ASC)$/i", $sort_by ) ) {
87
- trigger_error( "Invalid sort_by_column format: $sort_by" );
88
  unset( $sort_by_column[$index] );
89
  }
90
  }
84
  if ( in_array( $sort_by, $valid_columns ) ) {
85
  $sort_by_column[$index] = "$sort_by DESC";
86
  } else if ( ! preg_match( "/^$regex_valid_columns\s+(?:DESC|ASC)$/i", $sort_by ) ) {
 
87
  unset( $sort_by_column[$index] );
88
  }
89
  }
core/lib/settings.php CHANGED
@@ -2,45 +2,45 @@
2
 
3
  abstract class ITSEC_Settings {
4
  protected $settings;
5
-
6
  public function __construct() {
7
  $this->load();
8
-
9
  add_action( 'itsec-lib-clear-caches', array( $this, 'load' ), 0 );
10
  }
11
-
12
  abstract public function get_id();
13
  abstract public function get_defaults();
14
  protected function after_save() {}
15
  protected function handle_settings_changes( $old_settings ) {}
16
-
17
  public function export() {
18
  return $this->settings;
19
  }
20
-
21
  public function import( $settings ) {
22
  $this->set_all( $settings );
23
  }
24
-
25
  public function get( $name, $default = null ) {
26
  if ( isset( $this->settings[$name] ) ) {
27
  return $this->settings[$name];
28
  }
29
-
30
  return $default;
31
  }
32
-
33
  public function get_all() {
34
  return $this->settings;
35
  }
36
-
37
  public function set( $name, $value ) {
38
  $settings = $this->settings;
39
  $settings[$name] = $value;
40
-
41
  return $this->set_all( $settings );
42
  }
43
-
44
  public function set_all( $settings ) {
45
  $retval = array(
46
  'old_settings' => $this->settings,
@@ -49,45 +49,47 @@ abstract class ITSEC_Settings {
49
  'messages' => array(),
50
  'saved' => false,
51
  );
52
-
53
  $validator = ITSEC_Modules::get_validator( $this->get_id() );
54
-
55
  if ( is_null( $validator ) ) {
56
  $retval['errors'][] = new WP_Error( 'itsec-settings-missing-validator-for-' . $this->get_id(), sprintf( __( 'The data validator for %1$s is missing. Data for the module cannot be saved without the validator. This error could indicate a bad install of iThemes Security. Please remove the plugin and reinstall it. If this message persists, please contact support and send them this error message.', 'better-wp-security' ), $this->get_id() ) );
57
  } else {
58
  $validator->validate( $settings );
59
-
60
  $retval['errors'] = $validator->get_errors();
61
  $retval['messages'] = $validator->get_messages();
62
-
63
  if ( $validator->can_save() ) {
64
  $this->settings = $validator->get_settings();
65
-
66
  ITSEC_Storage::set( $this->get_id(), $this->settings );
67
  $this->after_save();
68
  $this->handle_settings_changes( $retval['old_settings'] );
69
-
70
  $retval['new_settings'] = $this->settings;
71
  $retval['saved'] = true;
 
 
72
  } else {
73
  ITSEC_Response::set_success( false );
74
  }
75
  }
76
-
77
  ITSEC_Response::add_errors( $retval['errors'] );
78
  ITSEC_Response::add_messages( $retval['messages'] );
79
-
80
  return $retval;
81
  }
82
-
83
  public function load() {
84
  $this->settings = ITSEC_Storage::get( $this->get_id() );
85
  $defaults = $this->get_defaults();
86
-
87
  if ( ! is_array( $this->settings ) ) {
88
  $this->settings = array();
89
  }
90
-
91
  $this->settings = array_merge( $defaults, $this->settings );
92
  }
93
  }
2
 
3
  abstract class ITSEC_Settings {
4
  protected $settings;
5
+
6
  public function __construct() {
7
  $this->load();
8
+
9
  add_action( 'itsec-lib-clear-caches', array( $this, 'load' ), 0 );
10
  }
11
+
12
  abstract public function get_id();
13
  abstract public function get_defaults();
14
  protected function after_save() {}
15
  protected function handle_settings_changes( $old_settings ) {}
16
+
17
  public function export() {
18
  return $this->settings;
19
  }
20
+
21
  public function import( $settings ) {
22
  $this->set_all( $settings );
23
  }
24
+
25
  public function get( $name, $default = null ) {
26
  if ( isset( $this->settings[$name] ) ) {
27
  return $this->settings[$name];
28
  }
29
+
30
  return $default;
31
  }
32
+
33
  public function get_all() {
34
  return $this->settings;
35
  }
36
+
37
  public function set( $name, $value ) {
38
  $settings = $this->settings;
39
  $settings[$name] = $value;
40
+
41
  return $this->set_all( $settings );
42
  }
43
+
44
  public function set_all( $settings ) {
45
  $retval = array(
46
  'old_settings' => $this->settings,
49
  'messages' => array(),
50
  'saved' => false,
51
  );
52
+
53
  $validator = ITSEC_Modules::get_validator( $this->get_id() );
54
+
55
  if ( is_null( $validator ) ) {
56
  $retval['errors'][] = new WP_Error( 'itsec-settings-missing-validator-for-' . $this->get_id(), sprintf( __( 'The data validator for %1$s is missing. Data for the module cannot be saved without the validator. This error could indicate a bad install of iThemes Security. Please remove the plugin and reinstall it. If this message persists, please contact support and send them this error message.', 'better-wp-security' ), $this->get_id() ) );
57
  } else {
58
  $validator->validate( $settings );
59
+
60
  $retval['errors'] = $validator->get_errors();
61
  $retval['messages'] = $validator->get_messages();
62
+
63
  if ( $validator->can_save() ) {
64
  $this->settings = $validator->get_settings();
65
+
66
  ITSEC_Storage::set( $this->get_id(), $this->settings );
67
  $this->after_save();
68
  $this->handle_settings_changes( $retval['old_settings'] );
69
+
70
  $retval['new_settings'] = $this->settings;
71
  $retval['saved'] = true;
72
+
73
+ do_action( 'itsec-settings-updated', $this->get_id() );
74
  } else {
75
  ITSEC_Response::set_success( false );
76
  }
77
  }
78
+
79
  ITSEC_Response::add_errors( $retval['errors'] );
80
  ITSEC_Response::add_messages( $retval['messages'] );
81
+
82
  return $retval;
83
  }
84
+
85
  public function load() {
86
  $this->settings = ITSEC_Storage::get( $this->get_id() );
87
  $defaults = $this->get_defaults();
88
+
89
  if ( ! is_array( $this->settings ) ) {
90
  $this->settings = array();
91
  }
92
+
93
  $this->settings = array_merge( $defaults, $this->settings );
94
  }
95
  }
core/modules/global/active.php CHANGED
@@ -157,4 +157,23 @@ function itsec_record_first_login( $username, $user ) {
157
  }
158
  }
159
 
160
- add_action( 'wp_login', 'itsec_record_first_login', 15, 2 );
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
157
  }
158
  }
159
 
160
+ add_action( 'wp_login', 'itsec_record_first_login', 15, 2 );
161
+
162
+ /**
163
+ * Basename the 'thumb' for attachments to prevent directory traversal
164
+ * when deleting the main attachment.
165
+ *
166
+ * @param array $data
167
+ *
168
+ * @return array
169
+ */
170
+ function itsec_basename_attachment_thumbs( $data ) {
171
+
172
+ if ( isset( $data['thumb'] ) && ITSEC_Modules::get_setting( 'wordpress-tweaks', 'patch_thumb_file_traversal' ) ) {
173
+ $data['thumb'] = basename( $data['thumb'] );
174
+ }
175
+
176
+ return $data;
177
+ }
178
+
179
+ add_filter( 'wp_update_attachment_metadata', 'itsec_basename_attachment_thumbs' );
core/modules/wordpress-tweaks/settings-page.php CHANGED
@@ -158,6 +158,14 @@ final class ITSEC_WordPress_Tweaks_Settings_Page extends ITSEC_Module_Settings_P
158
  </ul>
159
  </td>
160
  </tr>
 
 
 
 
 
 
 
 
161
  </table>
162
  <?php
163
 
158
  </ul>
159
  </td>
160
  </tr>
161
+ <tr>
162
+ <th scope="row"><label for="itsec-wordpress-tweaks-patch_thumb_file_traversal"><?php esc_html_e( 'Mitigate Attachment File Traversal Attack', 'better-wp-security' ); ?></label></th>
163
+ <td>
164
+ <?php $form->add_checkbox( 'patch_thumb_file_traversal' ); ?>
165
+ <label for="itsec-wordpress-tweaks-patch_thumb_file_traversal"><?php esc_html_e( 'Prevent attachment thumbnails from traversing to other files.', 'better-wp-security' ); ?></label>
166
+ <p class="description"><?php esc_html_e( 'Disabling this feature is not recommended. This helps mitigate an attack where users with the "author" role or higher could delete any file in your WordPress installation including sensitive files like wp-config.php.', 'better-wp-security' ); ?></p>
167
+ </td>
168
+ </tr>
169
  </table>
170
  <?php
171
 
core/modules/wordpress-tweaks/settings.php CHANGED
@@ -19,6 +19,7 @@ final class ITSEC_Wordpress_Tweaks_Settings extends ITSEC_Settings {
19
  'disable_unused_author_pages' => false,
20
  'block_tabnapping' => false,
21
  'valid_user_login_type' => 'both',
 
22
  );
23
  }
24
  }
19
  'disable_unused_author_pages' => false,
20
  'block_tabnapping' => false,
21
  'valid_user_login_type' => 'both',
22
+ 'patch_thumb_file_traversal' => true,
23
  );
24
  }
25
  }
core/modules/wordpress-tweaks/validator.php CHANGED
@@ -21,6 +21,7 @@ class ITSEC_WordPress_Tweaks_Validator extends ITSEC_Validator {
21
  $this->sanitize_setting( 'bool', 'disable_unused_author_pages', __( 'Disable Extra User Archives', 'better-wp-security' ) );
22
  $this->sanitize_setting( 'bool', 'block_tabnapping', __( 'Protect Against Tabnapping', 'better-wp-security' ) );
23
  $this->sanitize_setting( array( 'both', 'email', 'username' ), 'valid_user_login_type', __( 'Login with Email Address or Username', 'better-wp-security' ) );
 
24
  }
25
 
26
  protected function validate_settings() {
21
  $this->sanitize_setting( 'bool', 'disable_unused_author_pages', __( 'Disable Extra User Archives', 'better-wp-security' ) );
22
  $this->sanitize_setting( 'bool', 'block_tabnapping', __( 'Protect Against Tabnapping', 'better-wp-security' ) );
23
  $this->sanitize_setting( array( 'both', 'email', 'username' ), 'valid_user_login_type', __( 'Login with Email Address or Username', 'better-wp-security' ) );
24
+ $this->sanitize_setting( 'bool', 'patch_thumb_file_traversal', __( 'Mitigate Attachment File Traversal Attack', 'better-wp-security' ) );
25
  }
26
 
27
  protected function validate_settings() {
history.txt CHANGED
@@ -785,3 +785,7 @@
785
  7.0.3 - 2018-06-18 - Chris Jean & Timothy Jacobs
786
  Security Fix: Fixed SQL injection vulnerability in the logs page. Note: Admin privileges are required to exploit this vulnerability. Thanks to Çlirim Emini, Penetration Tester at sentry.co.com, for reporting this vulnerability.
787
  Bug Fix: Provide default values for enabled requirements.
 
 
 
 
785
  7.0.3 - 2018-06-18 - Chris Jean & Timothy Jacobs
786
  Security Fix: Fixed SQL injection vulnerability in the logs page. Note: Admin privileges are required to exploit this vulnerability. Thanks to Çlirim Emini, Penetration Tester at sentry.co.com, for reporting this vulnerability.
787
  Bug Fix: Provide default values for enabled requirements.
788
+ 7.0.4 - 2018-06-27 - Chris Jean & Timothy Jacobs
789
+ Enhancement: Add mitigation for the WordPress Attachment File Traversal and Deletion vulnerability.
790
+ Tweak: Fire a WordPress action whenever settings are updated.
791
+ Bug Fix: Improved input sanitization on the logs page to prevent triggering warnings.
readme.txt CHANGED
@@ -3,7 +3,7 @@ Contributors: ithemes, chrisjean, gerroald, mattdanner, timothyblynjacobs
3
  Tags: security, security plugin, malware, hack, secure, block, SSL, admin, htaccess, lockdown, login, protect, protection, anti virus, attack, injection, login security, maintenance, permissions, prevention, authentication, administration, password, brute force, ban, permissions, bots, user agents, xml rpc, security log
4
  Requires at least: 4.7
5
  Tested up to: 4.9.6
6
- Stable tag: 7.0.3
7
  Requires PHP: 5.2
8
  License: GPLv2 or later
9
  License URI: http://www.gnu.org/licenses/gpl-2.0.html
@@ -189,6 +189,11 @@ Free support may be available with the help of the community in the <a href="htt
189
 
190
  == Changelog ==
191
 
 
 
 
 
 
192
  = 7.0.3 =
193
  * Security Fix: Fixed SQL injection vulnerability in the logs page. Note: Admin privileges are required to exploit this vulnerability. Thanks to Çlirim Emini, Penetration Tester at sentry.co.com, for reporting this vulnerability.
194
  * Bug Fix: Provide default values for enabled requirements.
@@ -476,5 +481,5 @@ Free support may be available with the help of the community in the <a href="htt
476
 
477
  == Upgrade Notice ==
478
 
479
- = 7.0.3 =
480
- Version 7.0.3 contains an important security big fix. It is recommended for all users.
3
  Tags: security, security plugin, malware, hack, secure, block, SSL, admin, htaccess, lockdown, login, protect, protection, anti virus, attack, injection, login security, maintenance, permissions, prevention, authentication, administration, password, brute force, ban, permissions, bots, user agents, xml rpc, security log
4
  Requires at least: 4.7
5
  Tested up to: 4.9.6
6
+ Stable tag: 7.0.4
7
  Requires PHP: 5.2
8
  License: GPLv2 or later
9
  License URI: http://www.gnu.org/licenses/gpl-2.0.html
189
 
190
  == Changelog ==
191
 
192
+ = 7.0.4 =
193
+ * Enhancement: Add mitigation for the WordPress Attachment File Traversal and Deletion vulnerability.
194
+ * Tweak: Fire a WordPress action whenever settings are updated.
195
+ * Bug Fix: Improved input sanitization on the logs page to prevent triggering warnings.
196
+
197
  = 7.0.3 =
198
  * Security Fix: Fixed SQL injection vulnerability in the logs page. Note: Admin privileges are required to exploit this vulnerability. Thanks to Çlirim Emini, Penetration Tester at sentry.co.com, for reporting this vulnerability.
199
  * Bug Fix: Provide default values for enabled requirements.
481
 
482
  == Upgrade Notice ==
483
 
484
+ = 7.0.4 =
485
+ Version 7.0.4 contains an important security bug fix. It is recommended for all users.