Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <57188B6D.7050401@sysdream.com>
Date: Thu, 21 Apr 2016 09:12:29 +0100
From: Sysdream Labs <labs@...dream.com>
To: oss-security@...ts.openwall.com, fulldisclosure@...lists.org
Subject: Wordpress iThemes Security (Better WP Security) Insecure
 Backup/Logfile Generation (predicatable filename)

Wordpress iThemes Security (Better WP Security) Insecure Backup/Logfile Generation (predicatable filename)
==========================================================================================================


Description
===========

When using the "database backup/logging on filesystem" feature, iThemes security generates a weak filename allowing attackers to obtain the backup/log file if they know when the backup/log file was generated (timestamp).

**Access Vector**: remote

**Security Risk**: medium

**Vulnerability**: CWE-330

**CVSS Base Score**: 7.5


---------------
Vulnerable code
---------------

The vulnerable code is located at core/modules/backup/class-itsec-backup.php, line 244 :

        $file = 'backup-' . substr( sanitize_title( get_bloginfo( 'name' ) ), 0, 20 ) . '-' . $current_time . '-' . ITSEC_Lib::get_random( mt_rand( 5, 10 ) );

In core/class-itsec-logger.php, line  :

        $itsec_globals['settings']['log_info'] = substr( sanitize_title( get_bloginfo( 'name' ) ), 0, 20 ) . '-' . ITSEC_Lib::get_random( mt_rand( 0, 10 ) );


In core/class-itsec-lib.php, function get_random, line 415:

        public static function get_random( $length, $base32 = false, $special_chars = false ) {

                if ( true === $base32 ) {

                        $string = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567';

                } else {

                        $string = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';

                        if ( true === $special_chars ) {

                                $string .= '_)(*&^%$#@!~`:;<>,.?/{}[]|';

                        }

                }

                return substr( str_shuffle( $string ), mt_rand( 0, strlen( $string ) - $length ), $length );

        }


The str_shuffle should *never* be used for generating secure strings as it uses the PHP rand() function and just shuffles the characters' position.

--------
Solution
--------

Make sure to generate non-predictable strings, using cryptographically secure generators. 
Update iThemes Security to version >= 5.3.1

Affected versions
=================

* iThemes Security <= 5.3.0

Timeline (dd/mm/yyyy)
=====================

* 26/02/2016 : Initial contact with iThemes.
* 26/02/2016 : iThemes confirms the vulnerabilities.
* 29/02/2016 : iThemes publishes a new version (5.3.1) of iThemes Security that fixes the vulnerabilities.

Credits
=======

* Nicolas CHATELAIN, Sysdream (n.chatelain -at- sysdream -dot- com)



-- 
SYSDREAM Labs <labs@...dream.com>

GPG :
47D1 E124 C43E F992 2A2E
1551 8EB4 8CD9 D5B2 59A1

* Website: https://sysdream.com/
* Twitter: @sysdream


Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.