diff --git a/.jules/sentinel.md b/.jules/sentinel.md new file mode 100644 index 0000000..c76078e --- /dev/null +++ b/.jules/sentinel.md @@ -0,0 +1,4 @@ +## 2024-05-15 - [CRITICAL] Nginx Hardcoded Secret in Configuration +**Vulnerability:** A hardcoded token (`$arg_token = "xrpc-9f8e7d6c5b4a"`) was used in `server-php/config/conf.d/wordpress.conf` to bypass the XML-RPC block, allowing anyone who discovers the config or knows the secret to bypass the intended block. +**Learning:** Hardcoded secrets in infrastructure configuration files (like Nginx) are just as dangerous as hardcoded secrets in application code, and can bypass intended application-level or routing-level security controls entirely. +**Prevention:** Nginx configuration files should rely on unconditional blocks, robust authentication schemes (like upstream checks or standard HTTP auth), or environment-injected configurations rather than hardcoded string matching. diff --git a/server-php/config/conf.d/wordpress.conf b/server-php/config/conf.d/wordpress.conf index 911ff19..efafd26 100644 --- a/server-php/config/conf.d/wordpress.conf +++ b/server-php/config/conf.d/wordpress.conf @@ -105,28 +105,11 @@ server { access_log off; } - # Block XML-RPC by default, allow with secret token - # Usage: /xmlrpc.php?token=YOUR_XMLRPC_TOKEN + # Block XML-RPC unconditionally location = /xmlrpc.php { - set $xmlrpc_allowed 0; - - # Allow if valid token provided (set in environment or change here) - if ($arg_token = "xrpc-9f8e7d6c5b4a") { - set $xmlrpc_allowed 1; - } - - # Block if no valid token - if ($xmlrpc_allowed = 0) { - return 403; - } - - # Pass to PHP if allowed - try_files $uri =404; - fastcgi_split_path_info ^(.+\.php)(/.+)$; - fastcgi_pass unix:/run/php-fpm.sock; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_index index.php; - include fastcgi_params; + deny all; + access_log off; + log_not_found off; } # Deny access to hidden files