From 3c39889451c68e5528e081911e978b168c6638a0 Mon Sep 17 00:00:00 2001 From: amin0_000 Date: Tue, 7 Apr 2015 08:43:56 +1000 Subject: [PATCH] v3.9.1 released --- .../admin/wp-security-dashboard-menu.php | 72 +++++++++++++++++++ .../admin/wp-security-database-menu.php | 2 +- .../admin/wp-security-list-404.php | 2 +- .../admin/wp-security-list-acct-activity.php | 2 +- .../admin/wp-security-list-locked-ip.php | 2 +- .../wp-security-list-logged-in-users.php | 56 +++++++++++++++ .../admin/wp-security-list-login-fails.php | 2 +- .../admin/wp-security-user-login-menu.php | 12 ++-- .../classes/wp-security-installer.php | 57 ++++++++++++--- .../classes/wp-security-utility-htaccess.php | 28 +------- .../classes/wp-security-utility.php | 24 +++++++ all-in-one-wp-security/readme.txt | 9 ++- all-in-one-wp-security/wp-security-core.php | 2 +- all-in-one-wp-security/wp-security.php | 2 +- 14 files changed, 223 insertions(+), 49 deletions(-) diff --git a/all-in-one-wp-security/admin/wp-security-dashboard-menu.php b/all-in-one-wp-security/admin/wp-security-dashboard-menu.php index 6302d02..e12aa8f 100644 --- a/all-in-one-wp-security/admin/wp-security-dashboard-menu.php +++ b/all-in-one-wp-security/admin/wp-security-dashboard-menu.php @@ -10,6 +10,7 @@ class AIOWPSecurity_Dashboard_Menu extends AIOWPSecurity_Admin_Menu 'tab1' => 'render_tab1', 'tab2' => 'render_tab2', 'tab3' => 'render_tab3', + 'tab4' => 'render_tab4', ); function __construct() @@ -23,6 +24,7 @@ function set_menu_tabs() 'tab1' => __('Dashboard','aiowpsecurity'), 'tab2' => __('System Info','aiowpsecurity'), 'tab3' => __('Locked IP Addresses','aiowpsecurity'), + 'tab4' => __('AIOWPS Logs','aiowpsecurity'), ); } @@ -674,6 +676,76 @@ function render_tab3() + +
+

+
+
+ + + + + + +
: + + +
+ +
+ +
+ debug_logger->log_debug("Nonce check failed on dashboard view logs!",4); + die("Nonce check failed on dashboard view logs!"); + } + + if(!empty($file_selected)){ + ?> +
+

+
+ + + +
+
+ + + + + connect_errno) { diff --git a/all-in-one-wp-security/admin/wp-security-list-404.php b/all-in-one-wp-security/admin/wp-security-list-404.php index f06e396..9a5a59f 100644 --- a/all-in-one-wp-security/admin/wp-security-list-404.php +++ b/all-in-one-wp-security/admin/wp-security-list-404.php @@ -289,7 +289,7 @@ function prepare_items() { $search_term = trim($_POST['s']); $data = $wpdb->get_results($wpdb->prepare("SELECT * FROM " . $events_table_name . " WHERE `ip_or_host` LIKE '%%%s%%' OR `url` LIKE '%%%s%%' OR `referer_info` LIKE '%%%s%%'", $search_term, $search_term, $search_term), ARRAY_A); } else { - $data = $wpdb->get_results("SELECT * FROM $events_table_name ORDER BY $orderby $order", ARRAY_A); + $data = $wpdb->get_results($wpdb->prepare("SELECT * FROM $events_table_name ORDER BY %s %s",$orderby, $order ), ARRAY_A); } $new_data = array(); foreach ($data as $row) { diff --git a/all-in-one-wp-security/admin/wp-security-list-acct-activity.php b/all-in-one-wp-security/admin/wp-security-list-acct-activity.php index 50e3369..115c6d5 100644 --- a/all-in-one-wp-security/admin/wp-security-list-acct-activity.php +++ b/all-in-one-wp-security/admin/wp-security-list-acct-activity.php @@ -162,7 +162,7 @@ function prepare_items() { $orderby = !empty($orderby) ? esc_sql($orderby) : 'login_date'; $order = !empty($order) ? esc_sql($order) : 'DESC'; - $data = $wpdb->get_results("SELECT * FROM $login_activity_table ORDER BY $orderby $order LIMIT 50", ARRAY_A); //Get the last 50 records + $data = $wpdb->get_results($wpdb->prepare("SELECT * FROM $login_activity_table ORDER BY %s %s LIMIT 50",$orderby, $order), ARRAY_A); //Get the last 50 records $current_page = $this->get_pagenum(); $total_items = count($data); $data = array_slice($data,(($current_page-1)*$per_page),$per_page); diff --git a/all-in-one-wp-security/admin/wp-security-list-locked-ip.php b/all-in-one-wp-security/admin/wp-security-list-locked-ip.php index 09963fa..0769bc1 100644 --- a/all-in-one-wp-security/admin/wp-security-list-locked-ip.php +++ b/all-in-one-wp-security/admin/wp-security-list-locked-ip.php @@ -210,7 +210,7 @@ function prepare_items() { $orderby = !empty($orderby) ? esc_sql($orderby) : 'lockdown_date'; $order = !empty($order) ? esc_sql($order) : 'DESC'; - $data = $wpdb->get_results("SELECT * FROM $lockdown_table_name WHERE release_date > now() ORDER BY $orderby $order", ARRAY_A); + $data = $wpdb->get_results($wpdb->prepare("SELECT * FROM $lockdown_table_name WHERE release_date > now() ORDER BY %s %s", $orderby, $order), ARRAY_A); $current_page = $this->get_pagenum(); $total_items = count($data); $data = array_slice($data,(($current_page-1)*$per_page),$per_page); diff --git a/all-in-one-wp-security/admin/wp-security-list-logged-in-users.php b/all-in-one-wp-security/admin/wp-security-list-logged-in-users.php index b4391f5..91e0e4c 100644 --- a/all-in-one-wp-security/admin/wp-security-list-logged-in-users.php +++ b/all-in-one-wp-security/admin/wp-security-list-logged-in-users.php @@ -18,6 +18,23 @@ function column_default($item, $column_name){ return $item[$column_name]; } + function column_user_id($item){ + $tab = strip_tags($_REQUEST['tab']); + $force_logout_url = sprintf('admin.php?page=%s&tab=%s&action=%s&logged_in_id=%s&ip_address=%s', AIOWPSEC_USER_LOGIN_MENU_SLUG, $tab, 'force_user_logout', $item['user_id'], $item['ip_address']); + //Add nonce to URL + $force_logout_nonce = wp_nonce_url($force_logout_url, "force_user_logout", "aiowps_nonce"); + + //Build row actions + $actions = array( + 'logout' => 'Force Logout', + ); + + //Return the user_login contents + return sprintf('%1$s %2$s', + /*$1%s*/ $item['user_id'], + /*$2%s*/ $this->row_actions($actions) + ); + } function get_columns(){ $columns = array( @@ -44,6 +61,45 @@ function get_bulk_actions() { function process_bulk_action() { } + /* + * This function will force a selected user to be logged out. + * The function accepts either an array of IDs or a single ID (TODO - bulk actions not implemented yet!) + */ + function force_user_logout($user_id, $ip_addr) + { + global $wpdb, $aio_wp_security; + if (is_array($user_id)) + { + if (isset($_REQUEST['_wp_http_referer'])) + { + //TODO - implement bulk action in future release! + } + } + elseif ($user_id != NULL) + { + $nonce=isset($_GET['aiowps_nonce'])?$_GET['aiowps_nonce']:''; + if (!isset($nonce) ||!wp_verify_nonce($nonce, 'force_user_logout')) + { + $aio_wp_security->debug_logger->log_debug("Nonce check failed for force user logout operation!",4); + die(__('Nonce check failed for force user logout operation!','aiowpsecurity')); + } + //Force single user logout + $user_id = absint($user_id); + $manager = WP_Session_Tokens::get_instance( $user_id ); + $manager->destroy_all(); + // + $aio_wp_security->user_login_obj->update_user_online_transient($user_id, $ip_addr); +// if($result != NULL) +// { + $success_msg = '

'; + $success_msg .= __('The selected user was logged out successfully!','aiowpsecurity'); + $success_msg .= '

'; + _e($success_msg); +// } + } + } + + function prepare_items() { //First, lets decide how many records per page to show $per_page = 20; diff --git a/all-in-one-wp-security/admin/wp-security-list-login-fails.php b/all-in-one-wp-security/admin/wp-security-list-login-fails.php index 3158b46..5310690 100644 --- a/all-in-one-wp-security/admin/wp-security-list-login-fails.php +++ b/all-in-one-wp-security/admin/wp-security-list-login-fails.php @@ -161,7 +161,7 @@ function prepare_items() { $orderby = !empty($orderby) ? esc_sql($orderby) : 'failed_login_date'; $order = !empty($order) ? esc_sql($order) : 'DESC'; - $data = $wpdb->get_results("SELECT * FROM $failed_logins_table_name ORDER BY $orderby $order", ARRAY_A); + $data = $wpdb->get_results($wpdb->prepare("SELECT * FROM $failed_logins_table_name ORDER BY %s %s;", $orderby, $order), ARRAY_A); $current_page = $this->get_pagenum(); $total_items = count($data); $data = array_slice($data,(($current_page-1)*$per_page),$per_page); diff --git a/all-in-one-wp-security/admin/wp-security-user-login-menu.php b/all-in-one-wp-security/admin/wp-security-user-login-menu.php index 0e8243f..f2fe3e5 100644 --- a/all-in-one-wp-security/admin/wp-security-user-login-menu.php +++ b/all-in-one-wp-security/admin/wp-security-user-login-menu.php @@ -454,6 +454,12 @@ function render_tab5() global $aio_wp_security; include_once 'wp-security-list-logged-in-users.php'; //For rendering the AIOWPSecurity_List_Table $user_list = new AIOWPSecurity_List_Logged_In_Users(); + if(isset($_REQUEST['action'])) //Do row action tasks for list table form for login activity display + { + if($_REQUEST['action'] == 'force_user_logout'){ //Force Logout link was clicked for a row in list table + $user_list->force_user_logout(strip_tags($_REQUEST['logged_in_id']), strip_tags($_REQUEST['ip_address'])); + } + } if (isset($_POST['aiowps_refresh_logged_in_user_list'])) { @@ -465,11 +471,6 @@ function render_tab5() } $user_list->prepare_items(); - -// if(isset($_REQUEST['action'])) //Do list table form row action tasks -// { - //no actions for now -// } } ?> @@ -486,6 +487,7 @@ function render_tab5() '.__('This tab displays all users who are currently logged into your site.', 'aiowpsecurity').'
'.__('If you suspect there is a user or users who are logged in which should not be, you can block them by inspecting the IP addresses from the data below and adding them to your blacklist.', 'aiowpsecurity').' +
'.__('You can also instantly log them out by clicking on the "Force Logout" link when you hover over the row in the User Id column.', 'aiowpsecurity').'

'; ?> diff --git a/all-in-one-wp-security/classes/wp-security-installer.php b/all-in-one-wp-security/classes/wp-security-installer.php index 7f951b1..751c194 100644 --- a/all-in-one-wp-security/classes/wp-security-installer.php +++ b/all-in-one-wp-security/classes/wp-security-installer.php @@ -26,7 +26,7 @@ static function run_installer() AIOWPSecurity_Installer::create_db_tables(); AIOWPSecurity_Configure_Settings::add_option_values(); AIOWPSecurity_Installer::create_db_backup_dir(); //Create a backup dir in the WP uploads directory - + AIOWPSecurity_Installer::miscellaneous_tasks(); } static function create_db_tables() @@ -133,16 +133,22 @@ static function create_db_backup_dir() $handle = fopen($index_file, 'w'); //or die('Cannot open file: '.$index_file); fclose($handle); } - //Create an .htacces file - //Write some rules which will only allow people originating from wp admin page to download the DB backup - $rules = ''; - $rules .= 'order deny,allow -deny from all' . PHP_EOL; - $file = $aiowps_dir.'/.htaccess'; - $write_result = file_put_contents($file, $rules); - if ($write_result === false) - { - $aio_wp_security->debug_logger->log_debug("Creation of .htaccess file in ".AIO_WP_SECURITY_BACKUPS_DIR_NAME." directory failed!",4); + $server_type = AIOWPSecurity_Utility::get_server_type(); + //Only create .htaccess if server is the right type + if($server_type == 'apache' || $server_type == 'litespeed'){ + $file = $aiowps_dir.'/.htaccess'; + if(!file_exists($file)){ + //Create an .htacces file + //Write some rules which will only allow people originating from wp admin page to download the DB backup + $rules = ''; + $rules .= 'order deny,allow' . PHP_EOL; + $rules .= 'deny from all' . PHP_EOL; + $write_result = file_put_contents($file, $rules); + if ($write_result === false) + { + $aio_wp_security->debug_logger->log_debug("Creation of .htaccess file in ".AIO_WP_SECURITY_BACKUPS_DIR_NAME." directory failed!",4); + } + } } } @@ -173,6 +179,35 @@ static function reactivation_tasks() return false; } } + + static function miscellaneous_tasks() + { + //Create .htaccess file to protect log files in "logs" dir + self::create_htaccess_logs_dir(); + } + + static function create_htaccess_logs_dir() + { + global $aio_wp_security; + $aiowps_log_dir = AIO_WP_SECURITY_PATH.'/logs'; + $server_type = AIOWPSecurity_Utility::get_server_type(); + //Only create .htaccess if server is the right type + if($server_type == 'apache' || $server_type == 'litespeed'){ + $file = $aiowps_log_dir.'/.htaccess'; + if(!file_exists($file)){ + //Write some rules which will stop people from viewing the log files publicly + $rules = ''; + $rules .= 'order deny,allow' . PHP_EOL; + $rules .= 'deny from all' . PHP_EOL; + $write_result = file_put_contents($file, $rules); + if ($write_result === false) + { + $aio_wp_security->debug_logger->log_debug("Creation of .htaccess file in ".$aiowps_log_dir." directory failed!",4); + } + } + } + } + // //Read entire contents of file at activation time and store serialized contents in our global_meta table // static function backup_file_contents_to_db_at_activation($src_file, $key_description) diff --git a/all-in-one-wp-security/classes/wp-security-utility-htaccess.php b/all-in-one-wp-security/classes/wp-security-utility-htaccess.php index 349dfeb..74d1c97 100644 --- a/all-in-one-wp-security/classes/wp-security-utility-htaccess.php +++ b/all-in-one-wp-security/classes/wp-security-utility-htaccess.php @@ -55,34 +55,12 @@ function __construct(){ //NOP } - //Gets server type. Returns -1 if server is not supported - static function get_server_type() - { - //figure out what server they're using - if (strstr(strtolower(filter_var($_SERVER['SERVER_SOFTWARE'], FILTER_SANITIZE_STRING)), 'apache')) - { - return 'apache'; - } - else if (strstr(strtolower(filter_var($_SERVER['SERVER_SOFTWARE'], FILTER_SANITIZE_STRING)), 'nginx')) - { - return 'nginx'; - } - else if (strstr(strtolower(filter_var($_SERVER['SERVER_SOFTWARE'], FILTER_SANITIZE_STRING)), 'litespeed')) - { - return 'litespeed'; - } - else - { //unsupported server - return -1; - } - - } - + static function write_to_htaccess() { global $aio_wp_security; //figure out what server is being used - if (AIOWPSecurity_Utility_Htaccess::get_server_type() == -1) + if (AIOWPSecurity_Utility::get_server_type() == -1) { $aio_wp_security->debug_logger->log_debug("Unable to write to .htaccess - server type not supported!",4); return -1; //unable to write to the file @@ -272,7 +250,7 @@ static function getrules_block_wp_file_access() static function getrules_blacklist() { global $aio_wp_security; - $aiowps_server = AIOWPSecurity_Utility_Htaccess::get_server_type(); + $aiowps_server = AIOWPSecurity_Utility::get_server_type(); $rules = ''; if($aio_wp_security->configs->get_value('aiowps_enable_blacklisting')=='1') { diff --git a/all-in-one-wp-security/classes/wp-security-utility.php b/all-in-one-wp-security/classes/wp-security-utility.php index 567593b..4d6cee3 100644 --- a/all-in-one-wp-security/classes/wp-security-utility.php +++ b/all-in-one-wp-security/classes/wp-security-utility.php @@ -457,5 +457,29 @@ static function cleanup_table($table_name, $max_rows = '10000') return ($result === false)?false:true; } + //Gets server type. Returns -1 if server is not supported + static function get_server_type() + { + //figure out what server they're using + if (strstr(strtolower(filter_var($_SERVER['SERVER_SOFTWARE'], FILTER_SANITIZE_STRING)), 'apache')) + { + return 'apache'; + } + else if (strstr(strtolower(filter_var($_SERVER['SERVER_SOFTWARE'], FILTER_SANITIZE_STRING)), 'nginx')) + { + return 'nginx'; + } + else if (strstr(strtolower(filter_var($_SERVER['SERVER_SOFTWARE'], FILTER_SANITIZE_STRING)), 'litespeed')) + { + return 'litespeed'; + } + else + { //unsupported server + return -1; + } + + } + + } diff --git a/all-in-one-wp-security/readme.txt b/all-in-one-wp-security/readme.txt index bb015cc..472bdfb 100644 --- a/all-in-one-wp-security/readme.txt +++ b/all-in-one-wp-security/readme.txt @@ -4,7 +4,7 @@ Donate link: https://www.tipsandtricks-hq.com Tags: security, secure, Anti Virus, antivirus, ban, ban hacker, virus, firewall, firewall security, login, lockdown, htaccess, hack, malware, vulnerability, protect, protection, phishing, database, backup, plugin, sql injection, ssl, restrict, login captcha, bot, hotlink, 404 detection, admin, rename, all in one, scan, scanner, iframe, Requires at least: 3.5 Tested up to: 4.1.1 -Stable tag: 3.9.0 +Stable tag: 3.9.1 License: GPLv3 A comprehensive, user-friendly, all in one WordPress security and firewall plugin for your site. @@ -149,6 +149,7 @@ Currently available translations: - Russian - Chinese - Portuguese (Brazil) +- Persian Visit the [WordPress Security Plugin](https://www.tipsandtricks-hq.com/wordpress-security-and-firewall-plugin) page for more details. @@ -177,6 +178,12 @@ None == Changelog == += 3.9.1 = +- Added protection against possible SQL injection attacks. +- Added new "Force Logout" feature which will instantly force a certain user to be logged out of their session. (See the "Logged In Users" tab in User Login menu) +- Added more security protection for aiowps log files by creating .htaccess file and rules. AIOWPS log files can now only be viewed via dashboard menu, in new tab called "AIOWPS Logs". (NOTE:This security currently applies only for apache or similar servers) +- Added backticks to SQL statement for DB prefix change to help prevent errors. + = 3.9.0 = - Added some robustness to the file-scan code. - Added extra security to all relevant list table instances to prevent unlikely malicious deletion commands. diff --git a/all-in-one-wp-security/wp-security-core.php b/all-in-one-wp-security/wp-security-core.php index 3a770cd..c7a1b3a 100644 --- a/all-in-one-wp-security/wp-security-core.php +++ b/all-in-one-wp-security/wp-security-core.php @@ -3,7 +3,7 @@ if (!class_exists('AIO_WP_Security')){ class AIO_WP_Security{ - var $version = '3.9.0'; + var $version = '3.9.1'; var $db_version = '1.6'; var $plugin_url; var $plugin_path; diff --git a/all-in-one-wp-security/wp-security.php b/all-in-one-wp-security/wp-security.php index 14022df..4e7e780 100644 --- a/all-in-one-wp-security/wp-security.php +++ b/all-in-one-wp-security/wp-security.php @@ -1,7 +1,7 @@