Identify

6000+ sites are still leaking sensitive WordPress config files

Well, this isn’t anything new, not at all!

Google Hacking Database has been around for a long time.

We started to dig into WordPress config files and realized that it’s very common to create a backup of your config file, which is not a bad idea.

This config file contains the base configuration of a wordpress installation like Database Connection (user name, password, ost) and other sensitive information.

Example

config

What’s really bad is that some admins seems to store the file in the web root and changed the extension to txt will will be read in the browser.

If we change the file extension to .txt it will be managed by the web server/php interpreter as any other txt file and present the content to the user.

So if we look at one part that exists in the WordPress config file.
“define(‘AUTH_KEY’, ‘” and we also have some other phrases like “wp-config.php”.

If you want an idea of how bad it is we can let google sort that out for us using some search operands available.
Since google knows the content of all files it has indexed which are most of them we just search for the content using “intext:” and filter on txt files using “filetype:”

intext:define(‘AUTH_KEY’, ‘ wp-config.php filetype:txt

The result shows about 6000+ results (and probably some false positives in the results).

ghdb

This file is not something that would be read by the user and you should not be able to download the php file either ;).

What you need to do

  • Don’t place sensitive files in the web root that doens’t have to be there
  • Configure permissions
  • Definitely don’t place backup files in the webroot, in case you don’t have to temporarily to reinstall a web application but otherwise, keep them away from the internet

Use powershell to download sysinternals tools

Today, I was starting to get some order of my troubleshooting tools and thought it was a good idea to re-download all sysinternals tools.

It could be, in the future, that I might want to download the latest tools again. Here is a function which will download the files to prefered destination folder.

https://github.com/stefanschorling/SEC-LABS/blob/master/Download-SysInternalsTools.ps1

 

KrackAttack – Vulnerability in WPA2 – Disclosed

A security researcher Mathy Van Hoef will disclose a vulnerability in WPA2 within a few hours.

The vulnerability leaves Wi-Fi traffic open to eavesdropping and it will be possible to inject malicious content and much more.

CVE’s
CVE-2017-13077
CVE-2017-13078
CVE-2017-13079
CVE-2017-13080
CVE-2017-13081
CVE-2017-13082

 

Important URLs
https://www.krackattacks.com/
https://github.com/valentijnscholten/krackattacks/

 

Van Hoef on Twitter
https://twitter.com/vanhoefm

::Updates::

From Krackattacks.com

Our main attack is against the 4-way handshake of the WPA2 protocol. This handshake is executed when a client wants to join a protected Wi-Fi network, and is used to confirm that both the client and access point possess the correct credentials (e.g. the pre-shared password of the network). At the same time, the 4-way handshake also negotiates a fresh encryption key that will be used to encrypt all subsequent traffic. Currently, all modern protected Wi-Fi networks use the 4-way handshake. This implies all these networks are affected by (some variant of) our attack. For instance, the attack works against personal and enterprise Wi-Fi networks, against the older WPA and the latest WPA2 standard, and even against networks that only use AES. All our attacks against WPA2 use a novel technique called a key reinstallation attack (KRACK):

  • Basically all Wireless networks are vulnerable and the vendors are working to get the patches out.
  • Microsoft was mitigating this on the client side in the October patch release cycle
  • If you won’t get an update to your router your really only option is to get a new one (if it’s out of support)
  • Recommendations are to apply patches as soon as they’re available.

 

 

This post will be updated