function sixscan_htaccess_uninstall() { global $wp_filesystem; if ($wp_filesystem == NULL) { WP_Filesystem(); } $is_direct = $wp_filesystem->method == 'direct'; $local_htaccess_path = sixscan_common_get_htaccess_file_path($is_direct); try { if ($wp_filesystem->exists($local_htaccess_path)) { $htaccess_content = $wp_filesystem->get_contents($local_htaccess_path); $a = preg_replace('@# Created by 6Scan plugin(.*?)# End of 6Scan plugin@s', '', $htaccess_content); if ($wp_filesystem->put_contents($local_htaccess_path, $a) === FALSE) { throw new Exception('Failed to open htaccess during installation'); } } if ($wp_filesystem->exists(sixscan_common_get_htaccess_dest_path($is_direct))) { $wp_filesystem->delete(sixscan_common_get_htaccess_dest_path($is_direct)); } if ($wp_filesystem->exists(sixscan_common_get_signature_dest_path($is_direct))) { $wp_filesystem->delete(sixscan_common_get_signature_dest_path($is_direct)); } } catch (Exception $e) { return $e; } return TRUE; }
function sixscan_common_gather_system_information_for_anonymous_support_ticket() { $submission_data = "\n"; $submission_data .= "OS: " . PHP_OS . " \n"; $submission_data .= "Server info: " . print_r($_SERVER, TRUE); $regdata_status = sixscan_common_is_regdata_present(); $submission_data .= "Regdata present: {$regdata_status}\n"; $write_method = get_option(SIXSCAN_OPTION_WPFS_CONFIG) === FALSE ? "Direct_access" : "WP_filesystem"; $submission_data .= "Write method: {$write_method}\n"; /* Check , whether site can access external resources */ $url = SIXSCAN_BODYGUARD_REGISTER_URL; $proxy = new WP_HTTP_Proxy(); if ($proxy->is_enabled() && $proxy->send_through_proxy($url)) { $is_through_proxy = "true"; } else { $is_through_proxy = "false"; } $submission_data .= "Is access through proxy: {$is_through_proxy}\n"; $htaccess_contents = file_get_contents(sixscan_common_get_htaccess_file_path(TRUE)); if ($htaccess_contents == FALSE) { $htaccess_contents = "Empty"; } $submission_data .= "Htaccess contents: {$htaccess_contents}\n"; $plugin_list = get_plugins(); $submission_data .= "Plugins: " . print_r($plugin_list, TRUE) . "\n"; $phpinif_info = ini_get_all(); $submission_data .= "phpinfo(): " . print_r($phpinif_info, true) . "\n"; return $submission_data; }
function sixscan_signatures_update_htaccess($links_list) { global $wp_filesystem; $htaccess_fpath = sixscan_common_get_htaccess_file_path($wp_filesystem->method == 'direct'); if ($wp_filesystem->exists($htaccess_fpath)) { $htaccess_content = $wp_filesystem->get_contents($htaccess_fpath); /* Remove old 6Scan signature contents */ $new_content = trim(preg_replace('@# Created by 6Scan plugin(.*?)# End of 6Scan plugin@s', '', $htaccess_content)); } else { $new_content = ""; } $mixed_site_address = parse_url(home_url()); if (!isset($mixed_site_address['path']) || strlen($mixed_site_address['path']) == 0 || $mixed_site_address['path'] == '/') { $wordpress_base_dirname = "/"; } else { $wordpress_base_dirname = untrailingslashit($mixed_site_address['path']); } /* Those symbols have to be escaped , if written into htaccess file as RuleCond */ $chars_to_escape_arr = array('.', '^', '$', '+', '{', '}', '[', ']', '(', ')'); $escaped_chars_arr = array('\\.', '\\^', '\\$', '\\+', '\\{', '\\}', '\\[', '\\]', '\\(', '\\)'); /* We need the site relative path */ $rel_path = isset($mixed_site_address['path']) ? $mixed_site_address['path'] : ""; $current_hostname = $mixed_site_address['host']; if (substr($current_hostname, 0, 4) === 'www.') { $current_hostname = substr($current_hostname, 4); } /* Escape the dot of current hostname for regexps */ $current_hostname = str_replace(".", "\\.", $current_hostname); $vuln_urls = "#Broad-spectrum protection: User agent/referrer injections. XSS,RFI and SQLI prevention\nRewriteCond %{REQUEST_METHOD} ^(OPTIONS|PUT|DELETE|TRACE|CONNECT|PATCH|TRACK|DEBUG) [NC]\n"; if (sixscan_signatures_is_to_block_non_standard_requests()) { $vuln_urls .= "RewriteRule ^(.*)\$ - [F,L]\n"; } else { $vuln_urls .= "RewriteRule .* - [E=sixscansecuritylog:1,E=sixscanstrangerequest:1] -\n"; } $vuln_urls .= "\n\nRewriteCond %{QUERY_STRING} (http(s)?(:|%3A)(/|%2F)(/|%2F)|ftp(:|%3A)(/|%2F)(/|%2F)|zlib(:|%3A)|bzip2(:|%3A)) [NC]\nRewriteRule .* - [E=sixscansecuritylog:1,E=sixscanwafrfi:1] -\n\nRewriteCond %{REQUEST_METHOD} ^(POST) [NC]\nRewriteCond %{HTTP_REFERER} !^\$\nRewriteCond %{HTTP_REFERER} !^(WordPress\\/[\\d.]+;\\s+)?https?://(www.)?" . $current_hostname . " [NC]\nRewriteRule .* - [E=sixscansecuritylog:1,E=sixscanwafcsrf:1] -\n\nRewriteCond %{QUERY_STRING} (<|%3c).*(script|iframe|src).*(>|%3e) [NC]\nRewriteRule .* - [E=sixscansecuritylog:1,E=sixscanwafxss:1] -\n\nRewriteCond %{QUERY_STRING} union.*select [NC,OR]\nRewriteCond %{QUERY_STRING} (concat|delete|right|ascii|left|mid|version|substring|extractvalue|benchmark|load_file).*\\(.*\\)\t[NC,OR]\nRewriteCond %{QUERY_STRING} (into.*outfile) [NC,OR]\nRewriteCond %{QUERY_STRING} (having.*--) [NC]\nRewriteRule .* - [E=sixscansecuritylog:1,E=sixscanwafsqli:1] -\n\n"; //#skip the rfi rule, if accessing wp-login page //RewriteCond %{REQUEST_URI} ^" . trailingslashit( $wordpress_base_dirname ) . "wp-login [NC] //RewriteRule ^(.*)$ - [S=1] if (strlen($links_list) > 0) { $links = explode(SIXSCAN_SIGNATURE_LINKS_DELIMITER, $links_list); /* Prepare rules for the htaccess */ foreach ($links as $one_link) { $one_link = trailingslashit($rel_path) . substr($one_link, 1); $one_link = str_replace($chars_to_escape_arr, $escaped_chars_arr, $one_link); /* We also change / to /+ , so that any path with multiple slashes will be treated ( "dir///path" = "dir/path" ) */ $one_link = str_replace('/', '/+', $one_link); $vuln_urls .= "RewriteCond %{REQUEST_URI} ^" . trim($one_link) . " [NC,OR]\n"; } } $vuln_urls .= "RewriteCond %{REQUEST_URI} ^" . SIXSCAN_SIGNATURE_DEFAULT_PLACEHOLDER_LINK . "\n"; $vuln_urls .= "RewriteRule .* " . trailingslashit($wordpress_base_dirname) . "6scan-gate.php [E=sixscaninternal:accessgranted,L]\n"; $htaccess_links = "#Patrol's IPs needs access, to check whether rules update is required\n"; /* IP's , that are allowed to see non-filtered version of scripts. This is to enable 6Scan backend's decision , whether the patch is still required , or can be removed */ $ip_list_arr = explode(',', SIXSCAN_SIGNATURE_SCANNER_IP_LIST); foreach ($ip_list_arr as $ip_index => $one_ok_ip) { $one_ok_ip = str_replace(".", "\\.", $one_ok_ip); $htaccess_links .= "RewriteCond %{REMOTE_ADDR} ^" . trim($one_ok_ip) . "\$"; /* Last IP should not have [OR] flag */ if ($ip_index != count($ip_list_arr) - 1) { $htaccess_links .= " [OR]\n"; } else { $htaccess_links .= "\n"; } } /* If an IP maches one of the listed , skip the next 6 rules (automatic exploit detection/6scan_gate forwarding) */ $htaccess_links .= "RewriteRule ^(.*)\$ - [S=6]\n\n"; /* Now add the URL rules */ $htaccess_links .= $vuln_urls; $tmp_htaccess_file = $htaccess_fpath . ".tmp"; $new_content = "# Created by 6Scan plugin\n#Those are used by 6Scan Gateway\nSetEnv SIXSCAN_HTACCESS_VERSION\t" . SIXSCAN_HTACCESS_VERSION . "\nSetEnv SIXSCAN_WP_BASEDIR\t\t\t" . $wordpress_base_dirname . "\n\n#don't show directory listing and apache information\nServerSignature Off\n\n<IfModule mod_rewrite.c>\nRewriteEngine On\n\n#avoid direct access to the 6scan-gate.php file\nRewriteCond %{ENV:REDIRECT_sixscaninternal} !^accessgranted\$\nRewriteCond %{ENV:sixscaninternal} !^accessgranted\$\nRewriteCond %{REQUEST_URI} 6scan-gate\\.php\$\nRewriteRule ^(.*)\$ - [F]\n\t\t\t\t\t\n#This is not really a must, but speeds things up a bit\nRewriteRule ^6scan-gate\\.php\$ - [L]\n\n" . $htaccess_links . "</IfModule>\n# End of 6Scan plugin\n\n" . $new_content; $wp_filesystem->put_contents($tmp_htaccess_file, $new_content); if (sixscan_signatures_update_copy_file($tmp_htaccess_file, $htaccess_fpath) == FALSE) { return "Failed moving htaccess from {$tmp_htaccess_file} to " . $htaccess_fpath; } return TRUE; }