Ubuntu
������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������
title = __( 'Check if your server lists the PHP modules (known as "PHP Easter Egg").', 'secupress' );
$this->more = __( 'PHP contains a flaw that discloses sensitive information about installed modules, resulting in a loss of confidentiality.', 'secupress' );
$this->more_fix = sprintf(
__( 'Activate the %1$s protection from the module %2$s.', 'secupress' ),
'' . __( 'PHP Disclosure', 'secupress' ) . '',
'' . __( 'Sensitive Data', 'secupress' ) . ''
);
if ( ! $is_apache && ! $is_nginx && ! $is_iis7 ) {
$this->more_fix = static::get_messages( 301 );
$this->fixable = false;
}
}
/**
* Get messages.
*
* @since 1.0
*
* @param (int) $message_id A message ID.
*
* @return (string|array) A message if a message ID is provided. An array containing all messages otherwise.
*/
public static function get_messages( $message_id = null ) {
global $is_apache;
$config_file = $is_apache ? '.htaccess' : 'web.config';
/** Translators: 1 is the name of a protection, 2 is the name of a module. */
$activate_protection_message = sprintf( __( 'But you can activate the %1$s protection from the module %2$s.', 'secupress' ),
'' . __( 'PHP Disclosure', 'secupress' ) . '',
'' . __( 'Sensitive Data', 'secupress' ) . ''
);
$messages = array(
// "good"
0 => __( 'Your site does not reveal the PHP modules.', 'secupress' ),
/** Translators: %s is a file name. */
1 => sprintf( __( 'The rules forbidding access to the PHP Easter Egg have been successfully added to your %s file.', 'secupress' ), "$config_file" ),
// "warning"
100 => __( 'Unable to determine if your homepage is disclosing the PHP modules.', 'secupress' ) . ' ' . $activate_protection_message,
// "bad"
/** Translators: %s is a URL. */
200 => sprintf( __( '%s should not be accessible to anyone.', 'secupress' ), '' . esc_url( user_trailingslashit( home_url() ) . '?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000' ) . '' ),
// "cantfix"
/** Translators: 1 is a file name, 2 is some code. */
300 => sprintf( __( 'Your server runs Nginx, PHP modules disclosure cannot be protected automatically but you can do it yourself by adding the following code to your %1$s file: %2$s', 'secupress' ), 'nginx.conf', '%s' ),
301 => __( 'Your server runs an unrecognized system. PHP modules disclosure cannot be protected automatically.', 'secupress' ),
/** Translators: 1 is a file name, 2 is some code. */
302 => sprintf( __( 'Your %1$s file is not writable. Please add the following lines at the beginning of the file: %2$s', 'secupress' ), "$config_file", '%s' ),
/** Translators: 1 is a file name, 2 is a folder path (kind of), 3 is some code. */
303 => sprintf( __( 'Your %1$s file is not writable. Please add the following lines inside the tags hierarchy %2$s (create it if does not exist): %3$s', 'secupress' ), "$config_file", '%1$s', '%2$s' ),
);
if ( isset( $message_id ) ) {
return isset( $messages[ $message_id ] ) ? $messages[ $message_id ] : __( 'Unknown message', 'secupress' );
}
return $messages;
}
/** Getters. ================================================================================ */
/**
* Get the documentation URL.
*
* @since 1.2.3
*
* @return (string)
*/
public static function get_docs_url() {
return __( 'https://docs.secupress.me/article/103-php-modules-disclosure-scan', 'secupress' );
}
/** Scan. =================================================================================== */
/**
* Scan for flaw(s).
*
* @since 1.0
*
* @return (array) The scan results.
*/
public function scan() {
$activated = $this->filter_scanner( __CLASS__ );
if ( true === $activated ) {
$this->add_message( 0 );
return parent::scan();
}
// - http://osvdb.org/12184
$response = wp_remote_get( user_trailingslashit( home_url() ) . '?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000', $this->get_default_request_args() );
if ( ! is_wp_error( $response ) && 200 === wp_remote_retrieve_response_code( $response ) ) {
$response_body = wp_remote_retrieve_body( $response );
if ( strpos( $response_body, 'PHP Credits
' ) > 0 && strpos( $response_body, 'phpinfo()' ) > 0 ) {
// "bad"
$this->add_message( 200 );
if ( ! $this->fixable ) {
$this->add_pre_fix_message( 301 );
}
}
}
// "good"
$this->maybe_set_status( 0 );
return parent::scan();
}
/** Fix. ==================================================================================== */
/**
* Try to fix the flaw(s).
*
* @since 1.4.5
*
* @return (array) The fix results.
*/
public function need_manual_fix() {
return [ 'fix' => 'fix' ];
}
/**
* Get an array containing ALL the forms that would fix the scan if it requires user action.
*
* @since 1.4.5
*
* @return (array) An array of HTML templates (form contents most of the time).
*/
protected function get_fix_action_template_parts() {
return [ 'fix' => ' ' ];
}
/**
* Try to fix the flaw(s) after requiring user action.
*
* @since 1.4.5
*
* @return (array) The fix results.
*/
public function manual_fix() {
if ( $this->has_fix_action_part( 'fix' ) ) {
$this->fix();
}
// "good"
$this->add_fix_message( 1 );
return parent::manual_fix();
}
/**
* Try to fix the flaw(s).
*
* @since 1.0
*
* @return (array) The fix results.
*/
public function fix() {
global $is_apache, $is_nginx, $is_iis7;
if ( $is_apache ) {
$this->fix_apache();
} elseif ( $is_iis7 ) {
$this->fix_iis7();
} elseif ( $is_nginx ) {
$this->fix_nginx();
}
// "good"
$this->maybe_set_fix_status( 0 );
return parent::fix();
}
/**
* Fix for Apache system.
*
* @since 1.0
*/
protected function fix_apache() {
global $wp_settings_errors;
secupress_activate_submodule( 'sensitive-data', 'php-easter-egg' );
// Got error?
$last_error = is_array( $wp_settings_errors ) && $wp_settings_errors ? end( $wp_settings_errors ) : false;
if ( $last_error && 'general' === $last_error['setting'] && 'apache_manual_edit' === $last_error['code'] ) {
$rules = static::get_rules_from_error( $last_error );
// "cantfix"
$this->add_fix_message( 302, array( $rules ) );
array_pop( $wp_settings_errors );
return;
}
// "good"
$this->add_fix_message( 1 );
}
/**
* Fix for IIS7 system.
*
* @since 1.0
*/
protected function fix_iis7() {
global $wp_settings_errors;
secupress_activate_submodule( 'sensitive-data', 'php-easter-egg' );
// Got error?
$last_error = is_array( $wp_settings_errors ) && $wp_settings_errors ? end( $wp_settings_errors ) : false;
if ( $last_error && 'general' === $last_error['setting'] && 'iis7_manual_edit' === $last_error['code'] ) {
$rules = static::get_rules_from_error( $last_error );
$path = static::get_code_tag_from_error( $last_error, 'secupress-iis7-path' );
// "cantfix"
$this->add_fix_message( 303, array( $path, $rules ) );
array_pop( $wp_settings_errors );
return;
}
// "good"
$this->add_fix_message( 1 );
}
/**
* Fix for nginx system.
*
* @since 1.0
*/
protected function fix_nginx() {
global $wp_settings_errors;
secupress_activate_submodule( 'sensitive-data', 'php-easter-egg' );
// Get the error.
$last_error = is_array( $wp_settings_errors ) && $wp_settings_errors ? end( $wp_settings_errors ) : false;
$rules = 'Error';
if ( $last_error && 'general' === $last_error['setting'] && 'nginx_manual_edit' === $last_error['code'] ) {
$rules = static::get_rules_from_error( $last_error );
array_pop( $wp_settings_errors );
}
// "cantfix"
$this->add_fix_message( 300, array( $rules ) );
}
}