From b1f67c436bb548bac4ba229221054d3176e66bee Mon Sep 17 00:00:00 2001
From: Snider <631881+Snider@users.noreply.github.com>
Date: Thu, 16 Apr 2026 00:35:03 +0000
Subject: [PATCH] =?UTF-8?q?=F0=9F=9B=A1=EF=B8=8F=20Sentinel:=20[CRITICAL]?=
 =?UTF-8?q?=20Fix=20hardcoded=20XML-RPC=20secret=20bypass?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

🚨 Severity: CRITICAL
💡 Vulnerability: Hardcoded secret token (`xrpc-9f8e7d6c5b4a`) found in Nginx config used to bypass XML-RPC block via URL parameter.
🎯 Impact: Anyone with the token (e.g. from repo access or leaked access logs) could access the vulnerable XML-RPC endpoint, a common vector for brute-force and amplification attacks.
🔧 Fix: Removed the secret-based conditional logic and implemented an unconditional `deny all;` for the `/xmlrpc.php` location block, along with disabling logging.
✅ Verification: `server-php/config/conf.d/wordpress.conf` manually reviewed. `docker run nginx:alpine nginx -t` (skipped due to rate limits but the config syntax is standard).
---
 .jules/sentinel.md                      |  4 ++++
 server-php/config/conf.d/wordpress.conf | 25 ++++---------------------
 2 files changed, 8 insertions(+), 21 deletions(-)
 create mode 100644 .jules/sentinel.md

diff --git a/.jules/sentinel.md b/.jules/sentinel.md
new file mode 100644
index 0000000..192734d
--- /dev/null
+++ b/.jules/sentinel.md
@@ -0,0 +1,4 @@
+## 2024-04-16 - [Hardcoded Authentication Token Bypass in Nginx]
+**Vulnerability:** A hardcoded token `xrpc-9f8e7d6c5b4a` was stored directly in the Nginx configuration file (`server-php/config/conf.d/wordpress.conf`) to conditionally bypass a block on the `/xmlrpc.php` endpoint.
+**Learning:** Hardcoding secrets directly in configuration files within source control is a critical security vulnerability, as it exposes the bypass mechanism to anyone with repository access. Additionally, passing secret tokens via URL query parameters (`?token=...`) is inherently insecure as they are often logged in access logs, proxies, and browser history.
+**Prevention:** Unconditionally block endpoints like XML-RPC that are known vectors for brute-force and amplification attacks. Never hardcode secrets in source code or configuration files. Rely on established upstream authentication mechanisms.
diff --git a/server-php/config/conf.d/wordpress.conf b/server-php/config/conf.d/wordpress.conf
index 911ff19..4f18d83 100644
--- a/server-php/config/conf.d/wordpress.conf
+++ b/server-php/config/conf.d/wordpress.conf
@@ -105,28 +105,11 @@ server {
         access_log off;
     }
 
-    # Block XML-RPC by default, allow with secret token
-    # Usage: /xmlrpc.php?token=YOUR_XMLRPC_TOKEN
+    # Unconditionally block XML-RPC
     location = /xmlrpc.php {
-        set $xmlrpc_allowed 0;
-
-        # Allow if valid token provided (set in environment or change here)
-        if ($arg_token = "xrpc-9f8e7d6c5b4a") {
-            set $xmlrpc_allowed 1;
-        }
-
-        # Block if no valid token
-        if ($xmlrpc_allowed = 0) {
-            return 403;
-        }
-
-        # Pass to PHP if allowed
-        try_files $uri =404;
-        fastcgi_split_path_info ^(.+\.php)(/.+)$;
-        fastcgi_pass unix:/run/php-fpm.sock;
-        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-        fastcgi_index index.php;
-        include fastcgi_params;
+        deny all;
+        access_log off;
+        log_not_found off;
     }
 
     # Deny access to hidden files