When using the "database backup/logging on filesystem" feature, iThemes security generates a weak filename allowing attackers to obtain the backup/log file if they know when the backup/log file was generated (timestamp).

Access Vector: remote

Security Risk: medium

Vulnerability: CWE-330

CVSS Base Score: 7.5

Vulnerable code

The vulnerable code is located at core/modules/backup/class-itsec-backup.php, line 244 :

    $file = 'backup-' . substr( sanitize_title( get_bloginfo( 'name' ) ), 0, 20 ) . '-' . $current_time . '-' . ITSEC_Lib::get_random( mt_rand( 5, 10 ) );

In core/class-itsec-logger.php, line :

    $itsec_globals['settings']['log_info'] = substr( sanitize_title( get_bloginfo( 'name' ) ), 0, 20 ) . '-' . ITSEC_Lib::get_random( mt_rand( 0, 10 ) );

In core/class-itsec-lib.php, function get_random, line 415:

    public static function get_random( $length, $base32 = false, $special_chars = false ) {

            if ( true === $base32 ) {

                    $string = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567';

            } else {

                    $string = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';

                    if ( true === $special_chars ) {

                            $string .= '_)(*&^%$#@!~`:;<>,.?/{}[]|';

                    }

            }

            return substr( str_shuffle( $string ), mt_rand( 0, strlen( $string ) - $length ), $length );

    }

The str_shuffle should never be used for generating secure strings as it uses the PHP rand() function and just shuffles the characters' position.

Solution

Make sure to generate non-predictable strings, using cryptographically secure generators. Update iThemes Security to version >= 5.3.1

Affected versions

  • iThemes Security <= 5.3.0

Timeline (dd/mm/yyyy)

  • 26/02/2016 : Initial contact with iThemes.
  • 26/02/2016 : iThemes confirms the vulnerabilities.
  • 29/02/2016 : iThemes publishes a new version (5.3.1) of iThemes Security that fixes the vulnerabilities.

Credits

  • Nicolas CHATELAIN, Sysdream (n.chatelain -at- sysdream -dot- com)