Bug in basic auth implementation causes WordFence to flag normal users as brute force attempts #954
Comments
|
I believe so, yes, the comments in Event Espresso's version of basic auth explain: //account for issue where some servers remove the PHP auth headers What we had found is many servers would not allow basic auth to authenticate with the site when using the EE4 mobile apps. So the workarounds that you noticed were added in, starting with some code that was offered in WP-API/Basic-Auth#1 and iterated on later. What you could do is install the original basic-auth plugin and the |
|
I understand that this was done for a reason, but I think it was a mistake to close this bug. This issue causes WordPress to attempt to authenticate a server-level user over, and over, and over again on every page load. That's abusive behavior in terms of server resources, and has potential security implications as well, since a user could authenticate simply using HTTP authentication, while bypassing WP's normal cookie + POST data system. What if my HTTP auth credentials happened to be the same as one of my actual WP users? Then we'd be in real trouble. I'd request that this issue be re-opened and treated as a security complaint. |
|
Hi, There's already discussion/planning elsewhere to:
So that's why I closed this issue. There is a developer tasked with the above items. Since you need a fix for this today, you could either: |
|
Hey @360Zen, thanks for sharing your use-case and findings. So as I understand it, the remaining issues are:
Regarding it being another attack vector, yes, enabling another way to authenticate (in order to enable using the mobile apps) does add another attack vector. I created #974 in order to somewhat reduce that, but the only real fix to removing that attack vector is to disable basic auth login for WordPress entirely. The following code snippet does that: My pull request will also reduce that unnecessary checking basic auth's credential's against WordPress on all normal requests. (Although I don't think that server load would have been onerous, but may as well remove it in this case). So I don't think that code snippet and pull request will entirely answer your concerns, but I hope they help. We've always been intending for our usage of Basic Auth to be a temporary solution until WordPress comes with a built-in way for authentication. |
|
Thanks to both of you for the reply. I'm glad to see that it's being addressed and I appreciate the help with a temporary solution. Cheers! |
I have Event Espresso running on a staging site with HTTP authentication (nginx basic auth) set up to protect it from public viewing. For example purposes, we'll say the username for this authentication is "staging". This staging site also uses WordFence to provide brute force protection from repeated login attempts under the same username. Unfortunately, Event Espresso appears to be breaking this brute force protection.
I believe it is because of some code in this file: https://github.com/eventespresso/event-espresso-core/blob/master/core/third_party_libs/wp-api-basic-auth/basic-auth.php. On lines 45-47, the HTTP credentials are retrieved in place of standard login credentials. Then, on line 87, there is an attempt to authenticate with these credentials using wp_authenticate(). So, with all of these things combined, when using the staging site, any non-logged-in page views are flagged by WordFence as login attempts with the username "staging".
I noticed that this substitution is not done in the original library being used here: https://github.com/WP-API/Basic-Auth/blob/master/basic-auth.php. Is there any reason to try to use HTTP credentials as a substitute for proper WP login credentials?
The text was updated successfully, but these errors were encountered: