snicco

Taking the pain out of enterprise WordPress development

Bypass login page IP allowlist – (All in One WP Security <= 5.0.7)

Calvin Alkan

| in

Affected pluginAll In One WP Security & Firewall
Active installs1+ million
Vulnerable version<= 5.0.7
Audited version5.0.7
Fully patched version5.0.8
Recommended remediationUpdate the plugin to version 5.0.8 or higher.

Description

The plugin’s IP allowlist for the login page does not work on NGINX servers.

Proof of concept

The plugin writes the configured IPs in the allowlist to a “.htaccess” file which NGINX servers will completely ignore. However, this is not mentioned in the plugin’s UI. Consequently, users falsely rely on this feature without it ever working on most WordPress hosts, which nowadays mostly use NGINX + PHP-fpm.

Proposed patch

Don’t rely on “.htaccess” files in distributed plugins.

Timeline

Vendor contactedSeptember 10, 2022
First ResponseSeptember 12, 2022
Fully patched atSeptember 29, 2022
Publicly disclosedApril 24, 2023

Miscellaneous

2 responses

  1. indigetal

    The plugin is now in version 5.1.9 and this issue was fixed September, 29 2022 in version 5.0.8. That’s within 2 weeks of being notified (5.0.7 > 5.0.8) and they even credit Calvin in the changelog for bringing it up:

    “FIX: The login whitelisting didn’t work on servers not supporting .htaccess files, without this information being displayed in the user interface. The feature is now ported to PHP so that it works on all servers. Thanks to Calvin Alkan for identifying this issue.”

    This page needs to be updated to reflect that.

    Reply
    1. Snicco Admin

      Thanks for the update.

      We have updated the information.

      “That’s within 2 weeks of being notified (5.0.7 > 5.0.8) and they even credit Calvin in the changelog for bringing it up”

      Please refer to our bolded disclaimer here:

      https://snicco.io/vulnerability-disclosure


      For vendors:
      Potential patches were last evaluated on September 21, 2022.
      If an issue has been fixed let us know through the comment form on the respective disclosure page.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *