diff --git a/.jules/sentinel.md b/.jules/sentinel.md new file mode 100644 index 0000000..2bdaebd --- /dev/null +++ b/.jules/sentinel.md @@ -0,0 +1,5 @@ + +## 2024-04-02 - [CRITICAL] Removed hardcoded XML-RPC bypass token +**Vulnerability:** A hardcoded secret token (`xrpc-9f8e7d6c5b4a`) was present in `server-php/config/conf.d/wordpress.conf` which allowed bypassing the XML-RPC block (`/xmlrpc.php`). This means anyone with the source code could bypass the security control. +**Learning:** Hardcoded tokens or passwords in Nginx configurations (or any source code) should be strictly avoided. Authentication logic shouldn't rely on static strings in proxy/webserver configurations, as they are often exposed or leak via version control. +**Prevention:** Remove hardcoded conditional blocks and replace them with unconditional `deny all;` blocks. If bypasses are necessary, they should rely on secure upstream authentication mechanisms instead of hardcoded `$arg_token` matching. diff --git a/server-php/config/conf.d/wordpress.conf b/server-php/config/conf.d/wordpress.conf index 911ff19..4f18d83 100644 --- a/server-php/config/conf.d/wordpress.conf +++ b/server-php/config/conf.d/wordpress.conf @@ -105,28 +105,11 @@ server { access_log off; } - # Block XML-RPC by default, allow with secret token - # Usage: /xmlrpc.php?token=YOUR_XMLRPC_TOKEN + # Unconditionally block XML-RPC location = /xmlrpc.php { - set $xmlrpc_allowed 0; - - # Allow if valid token provided (set in environment or change here) - if ($arg_token = "xrpc-9f8e7d6c5b4a") { - set $xmlrpc_allowed 1; - } - - # Block if no valid token - if ($xmlrpc_allowed = 0) { - return 403; - } - - # Pass to PHP if allowed - try_files $uri =404; - fastcgi_split_path_info ^(.+\.php)(/.+)$; - fastcgi_pass unix:/run/php-fpm.sock; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_index index.php; - include fastcgi_params; + deny all; + access_log off; + log_not_found off; } # Deny access to hidden files