v3.9.1 released

all-in-one-wp-security/admin/wp-security-dashboard-menu.php

@@ -10,6 +10,7 @@ class AIOWPSecurity_Dashboard_Menu extends AIOWPSecurity_Admin_Menu
         'tab1' => 'render_tab1', 
         'tab2' => 'render_tab2',
         'tab3' => 'render_tab3',
+        'tab4' => 'render_tab4',
         );
 
     function __construct() 
@@ -23,6 +24,7 @@ function set_menu_tabs()
         'tab1' => __('Dashboard','aiowpsecurity'), 
         'tab2' => __('System Info','aiowpsecurity'),
         'tab3' => __('Locked IP Addresses','aiowpsecurity'),
+        'tab4' => __('AIOWPS Logs','aiowpsecurity'),
         );
     }
 
@@ -674,6 +676,76 @@ function render_tab3()
             </form>
         </div></div>
 
+        <?php
+    }
+
+    function render_tab4()
+    {
+        global $wpdb;
+        $file_selected = isset($_POST["aiowps_log_file"])?$_POST["aiowps_log_file"]:'';
+        ?>
+        <div class="postbox">
+        <h3><label for="title"><?php _e('View Logs for All In WP Security & Firewall Plugin', 'aiowpsecurity');?></label></h3>
+        <div class="inside">
+        <form action="" method="POST">
+        <?php wp_nonce_field('aiowpsec-dashboard-logs-nonce'); ?>
+        <table class="form-table">
+            <tr valign="top">
+                <th scope="row"><?php _e('Backup Time Interval', 'aiowpsecurity')?>:</th>
+                <td>
+                    <select id="aiowps_log_file" name="aiowps_log_file">
+                        <option value=""><?php _e('--Select a file--', 'aiowpsecurity')?></option>
+                        <option value="wp-security-log.txt" <?php selected($file_selected, 'wp-security-log.txt'); ?>>wp-security-log</option>
+                        <option value="wp-security-log-cron-job.txt" <?php selected($file_selected, 'wp-security-log-cron-job.txt'); ?>>wp-security-log-cron-job</option>
+                    </select>
+                <span class="description"><?php _e('Select one of the log files to view the contents', 'aiowpsecurity'); ?></span>
+                </td> 
+            </tr>
+        </table>
+        <input type="submit" name="aiowps_view_logs" value="<?php _e('View Logs', 'aiowpsecurity')?>" class="button-primary" />
+        </form>
+
+        </div></div>
+        <?php
+        if(isset($_POST['aiowps_view_logs']))//Do form submission tasks
+        {
+            $error = '';
+            $nonce=$_REQUEST['_wpnonce'];
+            if (!wp_verify_nonce($nonce, 'aiowpsec-dashboard-logs-nonce'))
+            {
+                $aio_wp_security->debug_logger->log_debug("Nonce check failed on dashboard view logs!",4);
+                die("Nonce check failed on dashboard view logs!");
+            }
+
+            if(!empty($file_selected)){
+        ?>
+        <div class="postbox">
+        <h3><label for="title"><?php echo __('Log File Contents For', 'aiowpsecurity').': '.$file_selected;?></label></h3>
+        <div class="inside">
+            <?php
+            $aiowps_log_dir = AIO_WP_SECURITY_PATH.'/logs';
+            $log_file = $aiowps_log_dir .'/'.$file_selected;
+            if(file_exists($log_file)){
+                $log_contents = AIOWPSecurity_Utility_File::get_file_contents($log_file);
+            }else{
+                $log_contents = '';
+            }
+
+            if(empty($log_contents)){$log_contents = $file_selected.': '.__('Log file is empty!','aiowpsecurity');}
+            ?>
+            <textarea class="aio_text_area_file_output aio_half_width aio_spacer_10_tb" rows="15" readonly><?php echo $log_contents; ?></textarea>
+
+        </div>
+        </div>
+
+        <?php
+
+            }
+        }
+        ?>
+
+
+
         <?php
     }
 

all-in-one-wp-security/admin/wp-security-database-menu.php

@@ -539,7 +539,7 @@ function get_mysql_tables($database='')
     {
         global $aio_wp_security;
         $tables = array();
-        $list_tables_sql = "SHOW TABLES FROM {$database};";
+        $list_tables_sql = "SHOW TABLES FROM `{$database}`;";
         $mysqli = new mysqli(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME);
 
         if ($mysqli->connect_errno) {

all-in-one-wp-security/admin/wp-security-list-404.php

@@ -289,7 +289,7 @@ function prepare_items() {
             $search_term = trim($_POST['s']);
             $data = $wpdb->get_results($wpdb->prepare("SELECT * FROM " . $events_table_name . " WHERE `ip_or_host` LIKE '%%%s%%' OR `url` LIKE '%%%s%%' OR `referer_info` LIKE '%%%s%%'", $search_term, $search_term, $search_term), ARRAY_A);
         } else {
-            $data = $wpdb->get_results("SELECT * FROM $events_table_name ORDER BY $orderby $order", ARRAY_A);
+            $data = $wpdb->get_results($wpdb->prepare("SELECT * FROM $events_table_name ORDER BY %s %s",$orderby, $order ), ARRAY_A);
         }
         $new_data = array();
         foreach ($data as $row) {

all-in-one-wp-security/admin/wp-security-list-acct-activity.php

@@ -162,7 +162,7 @@ function prepare_items() {
 	$orderby = !empty($orderby) ? esc_sql($orderby) : 'login_date';
 	$order = !empty($order) ? esc_sql($order) : 'DESC';
 
-	$data = $wpdb->get_results("SELECT * FROM $login_activity_table ORDER BY $orderby $order LIMIT 50", ARRAY_A); //Get the last 50 records
+	$data = $wpdb->get_results($wpdb->prepare("SELECT * FROM $login_activity_table ORDER BY %s %s LIMIT 50",$orderby, $order), ARRAY_A); //Get the last 50 records
         $current_page = $this->get_pagenum();
         $total_items = count($data);
         $data = array_slice($data,(($current_page-1)*$per_page),$per_page);

all-in-one-wp-security/admin/wp-security-list-locked-ip.php

@@ -210,7 +210,7 @@ function prepare_items() {
 	$orderby = !empty($orderby) ? esc_sql($orderby) : 'lockdown_date';
 	$order = !empty($order) ? esc_sql($order) : 'DESC';
 
-	$data = $wpdb->get_results("SELECT * FROM $lockdown_table_name WHERE release_date > now() ORDER BY $orderby $order", ARRAY_A);
+	$data = $wpdb->get_results($wpdb->prepare("SELECT * FROM $lockdown_table_name WHERE release_date > now() ORDER BY %s %s", $orderby, $order), ARRAY_A);
         $current_page = $this->get_pagenum();
         $total_items = count($data);
         $data = array_slice($data,(($current_page-1)*$per_page),$per_page);

all-in-one-wp-security/admin/wp-security-list-logged-in-users.php

@@ -18,6 +18,23 @@ function column_default($item, $column_name){
     	return $item[$column_name];
     }
 
+    function column_user_id($item){
+        $tab = strip_tags($_REQUEST['tab']);
+        $force_logout_url = sprintf('admin.php?page=%s&tab=%s&action=%s&logged_in_id=%s&ip_address=%s', AIOWPSEC_USER_LOGIN_MENU_SLUG, $tab, 'force_user_logout', $item['user_id'], $item['ip_address']);
+        //Add nonce to URL
+        $force_logout_nonce = wp_nonce_url($force_logout_url, "force_user_logout", "aiowps_nonce");
+
+        //Build row actions
+        $actions = array(
+            'logout' => '<a href="'.$force_logout_nonce.'" onclick="return confirm(\'Are you sure you want to force this user to be logged out of this session?\')">Force Logout</a>',
+        );
+
+        //Return the user_login contents
+        return sprintf('%1$s <span style="color:silver"></span>%2$s',
+            /*$1%s*/ $item['user_id'],
+            /*$2%s*/ $this->row_actions($actions)
+        );
+    }
 
     function get_columns(){
         $columns = array(
@@ -44,6 +61,45 @@ function get_bulk_actions() {
     function process_bulk_action() {
     }
 
+    /*
+     * This function will force a selected user to be logged out.
+     * The function accepts either an array of IDs or a single ID (TODO - bulk actions not implemented yet!)
+     */
+    function force_user_logout($user_id, $ip_addr)
+    {
+        global $wpdb, $aio_wp_security;
+        if (is_array($user_id))
+        {
+            if (isset($_REQUEST['_wp_http_referer']))
+            {
+                //TODO - implement bulk action in future release!
+            }
+        } 
+        elseif ($user_id != NULL)
+        {
+            $nonce=isset($_GET['aiowps_nonce'])?$_GET['aiowps_nonce']:'';
+            if (!isset($nonce) ||!wp_verify_nonce($nonce, 'force_user_logout'))
+            {
+                $aio_wp_security->debug_logger->log_debug("Nonce check failed for force user logout operation!",4);
+                die(__('Nonce check failed for force user logout operation!','aiowpsecurity'));
+            }
+            //Force single user logout
+            $user_id = absint($user_id);
+            $manager = WP_Session_Tokens::get_instance( $user_id );
+            $manager->destroy_all();
+            //
+            $aio_wp_security->user_login_obj->update_user_online_transient($user_id, $ip_addr);
+//            if($result != NULL)
+//            {
+                $success_msg = '<div id="message" class="updated fade"><p><strong>';
+                $success_msg .= __('The selected user was logged out successfully!','aiowpsecurity');
+                $success_msg .= '</strong></p></div>';
+                _e($success_msg);
+//            }
+        }
+    }
+
+
     function prepare_items() {
         //First, lets decide how many records per page to show
         $per_page = 20;

all-in-one-wp-security/admin/wp-security-list-login-fails.php

@@ -161,7 +161,7 @@ function prepare_items() {
 	$orderby = !empty($orderby) ? esc_sql($orderby) : 'failed_login_date';
 	$order = !empty($order) ? esc_sql($order) : 'DESC';
 
-	$data = $wpdb->get_results("SELECT * FROM $failed_logins_table_name ORDER BY $orderby $order", ARRAY_A);
+	$data = $wpdb->get_results($wpdb->prepare("SELECT * FROM $failed_logins_table_name ORDER BY %s %s;", $orderby, $order), ARRAY_A);
         $current_page = $this->get_pagenum();
         $total_items = count($data);
         $data = array_slice($data,(($current_page-1)*$per_page),$per_page);

all-in-one-wp-security/admin/wp-security-user-login-menu.php

@@ -454,6 +454,12 @@ function render_tab5()
         global $aio_wp_security;
         include_once 'wp-security-list-logged-in-users.php'; //For rendering the AIOWPSecurity_List_Table
         $user_list = new AIOWPSecurity_List_Logged_In_Users();
+        if(isset($_REQUEST['action'])) //Do row action tasks for list table form for login activity display
+        {
+            if($_REQUEST['action'] == 'force_user_logout'){ //Force Logout link was clicked for a row in list table
+                $user_list->force_user_logout(strip_tags($_REQUEST['logged_in_id']), strip_tags($_REQUEST['ip_address']));
+            }
+        }
 
         if (isset($_POST['aiowps_refresh_logged_in_user_list']))
         {
@@ -465,11 +471,6 @@ function render_tab5()
             }
 
             $user_list->prepare_items();
-
-//        if(isset($_REQUEST['action'])) //Do list table form row action tasks
-//        {
-            //no actions for now
-//        }
         }
 
         ?>
@@ -486,6 +487,7 @@ function render_tab5()
             <?php
             echo '<p>'.__('This tab displays all users who are currently logged into your site.', 'aiowpsecurity').'
                 <br />'.__('If you suspect there is a user or users who are logged in which should not be, you can block them by inspecting the IP addresses from the data below and adding them to your blacklist.', 'aiowpsecurity').'
+                <br />'.__('You can also instantly log them out by clicking on the "Force Logout" link when you hover over the row in the User Id column.', 'aiowpsecurity').'                    
             </p>';
             ?>
         </div>

all-in-one-wp-security/classes/wp-security-installer.php

@@ -26,7 +26,7 @@ static function run_installer()
         AIOWPSecurity_Installer::create_db_tables();
         AIOWPSecurity_Configure_Settings::add_option_values();
         AIOWPSecurity_Installer::create_db_backup_dir(); //Create a backup dir in the WP uploads directory
-
+        AIOWPSecurity_Installer::miscellaneous_tasks();
     }
 
     static function create_db_tables()
@@ -133,16 +133,22 @@ static function create_db_backup_dir()
             $handle = fopen($index_file, 'w'); //or die('Cannot open file:  '.$index_file);
             fclose($handle);
         }
-        //Create an .htacces file
-        //Write some rules which will only allow people originating from wp admin page to download the DB backup
-        $rules = '';
-        $rules .= 'order deny,allow
-deny from all' . PHP_EOL;
-        $file = $aiowps_dir.'/.htaccess';
-        $write_result = file_put_contents($file, $rules);
-        if ($write_result === false)
-        {
-            $aio_wp_security->debug_logger->log_debug("Creation of .htaccess file in ".AIO_WP_SECURITY_BACKUPS_DIR_NAME." directory failed!",4);
+        $server_type = AIOWPSecurity_Utility::get_server_type();
+        //Only create .htaccess if server is the right type
+        if($server_type == 'apache' || $server_type == 'litespeed'){
+            $file = $aiowps_dir.'/.htaccess';
+            if(!file_exists($file)){
+                //Create an .htacces file
+                //Write some rules which will only allow people originating from wp admin page to download the DB backup
+                $rules = '';
+                $rules .= 'order deny,allow' . PHP_EOL;
+                $rules .= 'deny from all' . PHP_EOL;
+                $write_result = file_put_contents($file, $rules);
+                if ($write_result === false)
+                {
+                    $aio_wp_security->debug_logger->log_debug("Creation of .htaccess file in ".AIO_WP_SECURITY_BACKUPS_DIR_NAME." directory failed!",4);
+                }
+            }
         }
     }
 
@@ -173,6 +179,35 @@ static function reactivation_tasks()
             return false;
         }
     }
+
+    static function miscellaneous_tasks()
+    {
+        //Create .htaccess file to protect log files in "logs" dir
+        self::create_htaccess_logs_dir();
+    }
+
+    static function create_htaccess_logs_dir()
+    {
+        global $aio_wp_security;
+        $aiowps_log_dir = AIO_WP_SECURITY_PATH.'/logs';
+        $server_type = AIOWPSecurity_Utility::get_server_type();
+        //Only create .htaccess if server is the right type
+        if($server_type == 'apache' || $server_type == 'litespeed'){
+            $file = $aiowps_log_dir.'/.htaccess';
+            if(!file_exists($file)){
+                //Write some rules which will stop people from viewing the log files publicly
+                $rules = '';
+                $rules .= 'order deny,allow' . PHP_EOL;
+                $rules .= 'deny from all' . PHP_EOL;
+                $write_result = file_put_contents($file, $rules);
+                if ($write_result === false)
+                {
+                    $aio_wp_security->debug_logger->log_debug("Creation of .htaccess file in ".$aiowps_log_dir." directory failed!",4);
+                }
+            }
+        }
+    }
+
 
 //    //Read entire contents of file at activation time and store serialized contents in our global_meta table
 //    static function backup_file_contents_to_db_at_activation($src_file, $key_description)

all-in-one-wp-security/classes/wp-security-utility-htaccess.php

@@ -55,34 +55,12 @@ function __construct(){
         //NOP
     }
 
-    //Gets server type. Returns -1 if server is not supported
-    static function get_server_type()
-    {
-        //figure out what server they're using
-        if (strstr(strtolower(filter_var($_SERVER['SERVER_SOFTWARE'], FILTER_SANITIZE_STRING)), 'apache'))
-        {
-            return 'apache';
-        } 
-        else if (strstr(strtolower(filter_var($_SERVER['SERVER_SOFTWARE'], FILTER_SANITIZE_STRING)), 'nginx'))
-        {
-            return 'nginx';
-        } 
-        else if (strstr(strtolower(filter_var($_SERVER['SERVER_SOFTWARE'], FILTER_SANITIZE_STRING)), 'litespeed'))
-        {
-            return 'litespeed';
-        }
-        else 
-        { //unsupported server
-            return -1;
-        }
-
-    }
-
+
     static function write_to_htaccess()
     {
        global $aio_wp_security;
         //figure out what server is being used
-        if (AIOWPSecurity_Utility_Htaccess::get_server_type() == -1) 
+        if (AIOWPSecurity_Utility::get_server_type() == -1) 
         {
             $aio_wp_security->debug_logger->log_debug("Unable to write to .htaccess - server type not supported!",4);
             return -1; //unable to write to the file
@@ -272,7 +250,7 @@ static function getrules_block_wp_file_access()
     static function getrules_blacklist()
     {
         global $aio_wp_security;
-	$aiowps_server = AIOWPSecurity_Utility_Htaccess::get_server_type();	
+	$aiowps_server = AIOWPSecurity_Utility::get_server_type();	
         $rules = '';
         if($aio_wp_security->configs->get_value('aiowps_enable_blacklisting')=='1') 
         {

all-in-one-wp-security/classes/wp-security-utility.php

@@ -457,5 +457,29 @@ static function cleanup_table($table_name, $max_rows = '10000')
         return ($result === false)?false:true;
     }
 
+    //Gets server type. Returns -1 if server is not supported
+    static function get_server_type()
+    {
+        //figure out what server they're using
+        if (strstr(strtolower(filter_var($_SERVER['SERVER_SOFTWARE'], FILTER_SANITIZE_STRING)), 'apache'))
+        {
+            return 'apache';
+        } 
+        else if (strstr(strtolower(filter_var($_SERVER['SERVER_SOFTWARE'], FILTER_SANITIZE_STRING)), 'nginx'))
+        {
+            return 'nginx';
+        } 
+        else if (strstr(strtolower(filter_var($_SERVER['SERVER_SOFTWARE'], FILTER_SANITIZE_STRING)), 'litespeed'))
+        {
+            return 'litespeed';
+        }
+        else 
+        { //unsupported server
+            return -1;
+        }
+
+    }
+
+
 
 }