WordPress.org

Ready to get started?Download WordPress

Forums

BruteProtect
[resolved] Why does BruteProtect allow bruteprotect to remotely enumerate a site's plugins? (6 posts)

  1. David Anderson
    Member
    Posted 9 months ago #

    Hi,

    I've used BruteProtect on a few sites - it's been very useful - and was reading the code because I wanted to suggest an action to be called (if not already) when a site is blocked; allowing me to pick up the information and pass it to the firewall.

    When doing so, I learnt that:
    - When a site gets its API key, it also receives back a key from the 'mothership' (https://api.bruteprotect.com)

    - The mothership can then call back, via a URL of this form, using the key that it knows, in order to enumerate the site's plugins:

    http://example.com/wp-login.php?bruteprotect_checkin=<key&gt;

    The output, supplied via bruteprotect/uptime_securewatch.php, is then a JSON-encoded list of the site's plugins (all plugins - not just BruteProtect), and their versions, together with an indicator of whether or not the site has a user named 'admin':

    $plugins = get_site_option('active_plugins');
                    $t = plugin_dir_path(__FILE__);
    
                    $t = preg_replace('/'. preg_quote('bruteprotect/', '/') . '$/', '', $t);
    
            if(is_array($plugins)) :  foreach($plugins as $pfile) :
                    $pf = $t.$pfile;
                    $pl['shortname'] = trim(plugin_dir_path($pfile), '/');
                    $p = get_plugin_data($pf);
                    $pl['name'] = $p['Name'];
                    $pl['version'] = $p['Version'];
                    $pls[] = $pl;
            endforeach; endif;
            $o['version'] = get_bloginfo('version');
            $o['plugins'] = $pls;
            if(username_exists('admin')) { $o['has_admin_user'] = 1; }
            echo json_encode($o);

    On the face of it, this appears to be a backdoor, and a breach of the wordpress.org guidelines (http://wordpress.org/plugins/about/guidelines/ - point 7, unauthorized collection of user data). I can detect no reason in the plugin's code or design as to why it needs to provide BruteProtect HQ with special access to, at any time, enumerate my site's plugins or usernames.

    What this looks like very much shakes my confidence in BruteProtect, and I'd really like to hear an explanation of firstly why BruteProtect HQ needed this backdoor, and secondly why it's nowhere mentioned in the documentation?

    Many thanks,
    David

    http://wordpress.org/extend/plugins/bruteprotect/

  2. Sam Hotchkiss
    Member
    Plugin Author

    Posted 9 months ago #

    Hi David-- I certainly do apologize, this was not intended to make it out into our live code yet, and I've released an update removing it.

    We didn't want to let the cat out of the bag quite yet, but we are working on a service where we can proactively notify you when one of your plugins has been flagged as having a serious security issue (to help distinguish between minor plugin updates and major security fixes)-- at this point, we have built the functionality to allow our server (and ours alone-- there is a second key which is known only to your site and ours) to get back your plugin name/version, WordPress version, and whether or not you have a user named "admin", so that we can provide feedback to help you make your site more secure.

  3. Remember to make that service Opt In ;)

  4. David Anderson
    Member
    Posted 9 months ago #

    Hi Sam,

    Thanks - it is reassuring to know that the code was for a purpose and not just a back-door!

    Any chance of adding an action call in brute_kill_login() ?

    e.g.
    do_action('brute_kill_login', $_SERVER['REMOTE_ADDR']);

    That would give other code an opportunity to log the IP somewhere else too - e.g. get the information up to the firewall so that it can be blocked before it uses up any more resources on other sites.

    David

  5. Sam Hotchkiss
    Member
    Plugin Author

    Posted 9 months ago #

    Hey David-- no problem, sorry for any confusion!

    We can definitely add a hook in-- I'm on vacation this week, so I'm running from the boat to dinner, but I'll get it in as soon as I have a few!

    Best,
    Sam

  6. Sam Hotchkiss
    Member
    Plugin Author

    Posted 9 months ago #

    Hey David-- this hook (along with brute_log_failed_attempt) has been added into 0.9.8.3, which will be released on Monday.

Reply

You must log in to post.

About this Plugin

About this Topic

Tags

No tags yet.