Wordfence Security – Firewall & Malware Scan - Version 5.2.4

Version Description

  • Security release. Upgrade immediately.
  • This release fixes an XSS vunlerability on Wordfence "view all traffic from IP" page.
  • Also fixes a hard to exploit XSS which exists if you have your site as the default site on your web server, falcon enabled and debugging comments enabled.
  • Improves Revolution Slider proteciton.
  • Fixed bypass for fake googlebot blocking.
Download this release

Release Info

Developer mmaunder
Plugin Icon 128x128 Wordfence Security – Firewall & Malware Scan
Version 5.2.4
Comparing to
See all releases

Code changes from version 5.2.3 to 5.2.4

Files changed (7) hide show
  1. lib/IPTraf.php +4 -0
  2. lib/wfCache.php +2 -2
  3. lib/wfLog.php +1 -1
  4. lib/wfUtils.php +8 -1
  5. lib/wordfenceClass.php +5 -2
  6. readme.txt +8 -1
  7. wordfence.php +2 -2
lib/IPTraf.php CHANGED
@@ -9,7 +9,11 @@
9
  <?php foreach($results as $key => $v){ ?>
10
  <tr><th>Time:</th><td><?php echo $v['timeAgo'] ?> ago -- <?php echo date(DATE_RFC822, $v['ctime']); ?> -- <?php echo $v['ctime']; ?> in Unixtime</td></tr>
11
  <?php if($v['timeSinceLastHit']){ echo '<th>Secs since last hit:</th><td>' . $v['timeSinceLastHit'] . '</td></tr>'; } ?>
 
 
 
12
  <tr><th>URL:</th><td><a href="<?php echo $v['URL']; ?>" target="_blank"><?php echo $v['URL']; ?></a></td></tr>
 
13
  <tr><th>Type:</th><td><?php if($v['type'] == 'hit'){ echo 'Normal request'; } else if($v['type'] == '404'){ echo '<span style="color: #F00;">Page not found</span>'; } ?></td></tr>
14
  <?php if($v['referer']){ ?><tr><th>Referrer:</th><td><a href="<?php echo $v['referer']; ?>" target="_blank"><?php echo $v['referer']; ?></a></td></tr><?php } ?>
15
  <tr><th>Full Browser ID:</th><td><?php echo esc_html($v['UA']); ?></td></tr>
9
  <?php foreach($results as $key => $v){ ?>
10
  <tr><th>Time:</th><td><?php echo $v['timeAgo'] ?> ago -- <?php echo date(DATE_RFC822, $v['ctime']); ?> -- <?php echo $v['ctime']; ?> in Unixtime</td></tr>
11
  <?php if($v['timeSinceLastHit']){ echo '<th>Secs since last hit:</th><td>' . $v['timeSinceLastHit'] . '</td></tr>'; } ?>
12
+ <?php if(wfUtils::hasXSS($v['URL'])){ ?>
13
+ <tr><th>URL:</th><td><span style="color: #F00;">Possible XSS code filtered out for your security</span></td></tr>
14
+ <?php } else { ?>
15
  <tr><th>URL:</th><td><a href="<?php echo $v['URL']; ?>" target="_blank"><?php echo $v['URL']; ?></a></td></tr>
16
+ <?php } ?>
17
  <tr><th>Type:</th><td><?php if($v['type'] == 'hit'){ echo 'Normal request'; } else if($v['type'] == '404'){ echo '<span style="color: #F00;">Page not found</span>'; } ?></td></tr>
18
  <?php if($v['referer']){ ?><tr><th>Referrer:</th><td><a href="<?php echo $v['referer']; ?>" target="_blank"><?php echo $v['referer']; ?></a></td></tr><?php } ?>
19
  <tr><th>Full Browser ID:</th><td><?php echo esc_html($v['UA']); ?></td></tr>
lib/wfCache.php CHANGED
@@ -154,8 +154,8 @@ class wfCache {
154
  $append .= "Time created on server: " . date('Y-m-d H:i:s T') . ". ";
155
  $append .= "Is HTTPS page: " . (self::isHTTPSPage() ? 'HTTPS' : 'no') . ". ";
156
  $append .= "Page size: " . strlen($buffer) . " bytes. ";
157
- $append .= "Host: " . ($_SERVER['HTTP_HOST'] ? $_SERVER['HTTP_HOST'] : $_SERVER['SERVER_NAME']) . ". ";
158
- $append .= "Request URI: " . $_SERVER['REQUEST_URI'] . " ";
159
  $appendGzip = $append . " Encoding: GZEncode -->\n";
160
  $append .= " Encoding: Uncompressed -->\n";
161
  }
154
  $append .= "Time created on server: " . date('Y-m-d H:i:s T') . ". ";
155
  $append .= "Is HTTPS page: " . (self::isHTTPSPage() ? 'HTTPS' : 'no') . ". ";
156
  $append .= "Page size: " . strlen($buffer) . " bytes. ";
157
+ $append .= "Host: " . ($_SERVER['HTTP_HOST'] ? htmlentities($_SERVER['HTTP_HOST']) : htmlentities($_SERVER['SERVER_NAME'])) . ". ";
158
+ $append .= "Request URI: " . htmlentities($_SERVER['REQUEST_URI']) . " ";
159
  $appendGzip = $append . " Encoding: GZEncode -->\n";
160
  $append .= " Encoding: Uncompressed -->\n";
161
  }
lib/wfLog.php CHANGED
@@ -505,7 +505,7 @@ class wfLog {
505
  $res['IP'] = wfUtils::inet_ntoa($res['IP']);
506
  $res['extReferer'] = false;
507
  if(isset( $res['referer'] ) && $res['referer']){
508
- if(! preg_match('/^https?:\/\/[a-z0-9\.\-]+\/[^\':<>\"\\\]*$/i', $res['referer'] )){ //filtering out XSS
509
  $res['referer'] = '';
510
  }
511
  }
505
  $res['IP'] = wfUtils::inet_ntoa($res['IP']);
506
  $res['extReferer'] = false;
507
  if(isset( $res['referer'] ) && $res['referer']){
508
+ if(wfUtils::hasXSS($res['referer'] )){ //filtering out XSS
509
  $res['referer'] = '';
510
  }
511
  }
lib/wfUtils.php CHANGED
@@ -136,7 +136,7 @@ class wfUtils {
136
  public static function getIP(){
137
  //You can use the following examples to force Wordfence to think a visitor has a certain IP if you're testing. Remember to re-comment this out or you will break Wordfence badly.
138
  //return '1.2.33.57';
139
- //return '4.2.3.14';
140
  //return self::makeRandomIP();
141
 
142
  $howGet = wfConfig::get('howGetIPs', false);
@@ -642,6 +642,13 @@ class wfUtils {
642
  }
643
  return true;
644
  }
 
 
 
 
 
 
 
645
  }
646
 
647
 
136
  public static function getIP(){
137
  //You can use the following examples to force Wordfence to think a visitor has a certain IP if you're testing. Remember to re-comment this out or you will break Wordfence badly.
138
  //return '1.2.33.57';
139
+ //return '4.22.23.114';
140
  //return self::makeRandomIP();
141
 
142
  $howGet = wfConfig::get('howGetIPs', false);
642
  }
643
  return true;
644
  }
645
+ public static function hasXSS($URL){
646
+ if(! preg_match('/^https?:\/\/[a-z0-9\.\-]+\/[^\':<>\"\\\]*$/i', $URL)){
647
+ return true;
648
+ } else {
649
+ return false;
650
+ }
651
+ }
652
  }
653
 
654
 
lib/wordfenceClass.php CHANGED
@@ -332,7 +332,10 @@ class wordfence {
332
  }
333
  public static function initProtection(){
334
  if(preg_match('/\/wp\-admin\/admin\-ajax\.php/', $_SERVER['REQUEST_URI'])){
335
- if(isset($_REQUEST['action']) && $_REQUEST['action'] == 'revslider_show_image' && isset($_REQUEST['img']) && preg_match('/\.php$/i', $_REQUEST['img']) ){
 
 
 
336
  self::getLog()->do503(86400, "URL not allowed. Slider Revolution Hack attempt detected. #2");
337
  exit(); //function above exits anyway
338
  }
@@ -1881,7 +1884,7 @@ class wordfence {
1881
  return array('err' => 1, 'errorMsg' => "The IP address " . htmlentities($IP) . " is whitelisted and can't be blocked or it is in a range of internal IP addresses that Wordfence does not block. You can remove this IP from the whitelist on the Wordfence options page.");
1882
  }
1883
  if(wfConfig::get('neverBlockBG') != 'treatAsOtherCrawlers'){ //Either neverBlockVerified or neverBlockUA is selected which means the user doesn't want to block google
1884
- if(wfCrawl::verifyCrawlerPTR('/googlebot\.com$/i', $IP)){
1885
  return array('err' => 1, 'errorMsg' => "The IP address you're trying to block belongs to Google. Your options are currently set to not block these crawlers. Change this in Wordfence options if you want to manually block Google.");
1886
  }
1887
  }
332
  }
333
  public static function initProtection(){
334
  if(preg_match('/\/wp\-admin\/admin\-ajax\.php/', $_SERVER['REQUEST_URI'])){
335
+ if(
336
+ (isset($_GET['action']) && $_GET['action'] == 'revslider_show_image' && isset($_GET['img']) && preg_match('/\.php$/i', $_GET['img'])) ||
337
+ (isset($_POST['action']) && $_POST['action'] == 'revslider_show_image' && isset($_POST['img']) && preg_match('/\.php$/i', $_POST['img']))
338
+ ){
339
  self::getLog()->do503(86400, "URL not allowed. Slider Revolution Hack attempt detected. #2");
340
  exit(); //function above exits anyway
341
  }
1884
  return array('err' => 1, 'errorMsg' => "The IP address " . htmlentities($IP) . " is whitelisted and can't be blocked or it is in a range of internal IP addresses that Wordfence does not block. You can remove this IP from the whitelist on the Wordfence options page.");
1885
  }
1886
  if(wfConfig::get('neverBlockBG') != 'treatAsOtherCrawlers'){ //Either neverBlockVerified or neverBlockUA is selected which means the user doesn't want to block google
1887
+ if(wfCrawl::verifyCrawlerPTR('/\.googlebot\.com$/i', $IP)){
1888
  return array('err' => 1, 'errorMsg' => "The IP address you're trying to block belongs to Google. Your options are currently set to not block these crawlers. Change this in Wordfence options if you want to manually block Google.");
1889
  }
1890
  }
readme.txt CHANGED
@@ -3,7 +3,7 @@ Contributors: mmaunder
3
  Tags: wordpress, security, performance, speed, caching, cache, caching plugin, wordpress cache, wordpress caching, wordpress security, security plugin, secure, anti-virus, malware, firewall, antivirus, virus, google safe browsing, phishing, scrapers, hacking, wordfence, securty, secrity, secure, two factor, cellphone sign-in, cellphone signin, cellphone, twofactor, security, secure, htaccess, login, log, users, login alerts, lock, chmod, maintenance, plugin, private, privacy, protection, permissions, 503, base64, injection, code, encode, script, attack, hack, hackers, block, blocked, prevent, prevention, RFI, XSS, CRLF, CSRF, SQL Injection, vulnerability, website security, WordPress security, security log, logging, HTTP log, error log, login security, personal security, infrastructure security, firewall security, front-end security, web server security, proxy security, reverse proxy security, secure website, secure login, two factor security, maximum login security, heartbleed, heart bleed, heartbleed vulnerability, openssl vulnerability, nginx, litespeed, php5-fpm, woocommerce support, woocommerce caching
4
  Requires at least: 3.3.1
5
  Tested up to: 4.0
6
- Stable tag: 5.2.3
7
 
8
  Wordfence Security is a free enterprise class security and performance plugin that makes your site up to 50 times faster and more secure.
9
 
@@ -163,6 +163,13 @@ cause a security hole on your site.
163
 
164
  == Changelog ==
165
 
 
 
 
 
 
 
 
166
  = 5.2.3 =
167
  * Updated Geo IP country database to newest version (September 2014 edition)
168
  * Security fix. Improved referrer sanitization in live traffic.
3
  Tags: wordpress, security, performance, speed, caching, cache, caching plugin, wordpress cache, wordpress caching, wordpress security, security plugin, secure, anti-virus, malware, firewall, antivirus, virus, google safe browsing, phishing, scrapers, hacking, wordfence, securty, secrity, secure, two factor, cellphone sign-in, cellphone signin, cellphone, twofactor, security, secure, htaccess, login, log, users, login alerts, lock, chmod, maintenance, plugin, private, privacy, protection, permissions, 503, base64, injection, code, encode, script, attack, hack, hackers, block, blocked, prevent, prevention, RFI, XSS, CRLF, CSRF, SQL Injection, vulnerability, website security, WordPress security, security log, logging, HTTP log, error log, login security, personal security, infrastructure security, firewall security, front-end security, web server security, proxy security, reverse proxy security, secure website, secure login, two factor security, maximum login security, heartbleed, heart bleed, heartbleed vulnerability, openssl vulnerability, nginx, litespeed, php5-fpm, woocommerce support, woocommerce caching
4
  Requires at least: 3.3.1
5
  Tested up to: 4.0
6
+ Stable tag: 5.2.4
7
 
8
  Wordfence Security is a free enterprise class security and performance plugin that makes your site up to 50 times faster and more secure.
9
 
163
 
164
  == Changelog ==
165
 
166
+ = 5.2.4 =
167
+ * Security release. Upgrade immediately.
168
+ * This release fixes an XSS vunlerability on Wordfence "view all traffic from IP" page.
169
+ * Also fixes a hard to exploit XSS which exists if you have your site as the default site on your web server, falcon enabled and debugging comments enabled.
170
+ * Improves Revolution Slider proteciton.
171
+ * Fixed bypass for fake googlebot blocking.
172
+
173
  = 5.2.3 =
174
  * Updated Geo IP country database to newest version (September 2014 edition)
175
  * Security fix. Improved referrer sanitization in live traffic.
wordfence.php CHANGED
@@ -4,13 +4,13 @@ Plugin Name: Wordfence Security
4
  Plugin URI: http://www.wordfence.com/
5
  Description: Wordfence Security - Anti-virus, Firewall and High Speed Cache
6
  Author: Wordfence
7
- Version: 5.2.3
8
  Author URI: http://www.wordfence.com/
9
  */
10
  if(defined('WP_INSTALLING') && WP_INSTALLING){
11
  return;
12
  }
13
- define('WORDFENCE_VERSION', '5.2.3');
14
  if(get_option('wordfenceActivated') != 1){
15
  add_action('activated_plugin','wordfence_save_activation_error'); function wordfence_save_activation_error(){ update_option('wf_plugin_act_error', ob_get_contents()); }
16
  }
4
  Plugin URI: http://www.wordfence.com/
5
  Description: Wordfence Security - Anti-virus, Firewall and High Speed Cache
6
  Author: Wordfence
7
+ Version: 5.2.4
8
  Author URI: http://www.wordfence.com/
9
  */
10
  if(defined('WP_INSTALLING') && WP_INSTALLING){
11
  return;
12
  }
13
+ define('WORDFENCE_VERSION', '5.2.4');
14
  if(get_option('wordfenceActivated') != 1){
15
  add_action('activated_plugin','wordfence_save_activation_error'); function wordfence_save_activation_error(){ update_option('wf_plugin_act_error', ob_get_contents()); }
16
  }