Posted By: peopleinside on April 14, 2016, 8:17 am |
Hi,
today I was testing Wordfence plug in on my Wordpress. In particular BAN IP function. I have found maybe a BUG on that plug in but also issue with Webuzo. IF I BAN manually an ip in Wordfence plug in and I have performance setup active in Wordfence ... the banned IP will not see the Wordfence ban page but are redirected I don't know where in the VPS. The issue with Webuzo is, in my case for two website ... the banned IP is redirected to the Webuzo Default Page who give information to the BAD user about my admin panel (Webuzo) on my server so Hacker can now know I AM using Webuzo and Can see where the log in page is as is showed into the Webuzo default page. If that Hacker made a robott guess username and password how Webuzo can defend from it?
----------------------- PeopleInside Web, security, open source passionate. |
Posted By: peopleinside on April 14, 2016, 11:21 am | Post: 1 |
Maybe for Two factor authentication can be just an email with a link for direct access to the control panel.
So user need to put username and password into webuzo and if is the first time they connect from that an email is sent to the user for allow the log in. But maybe here there are another problem in this case, Webuzo email are not always delivered if they looks like SPAM... so don't know maybe is better a system like Google Authenticator or just the possibility to ban an IP only in the webuzo admin access area and not to all website of the server.. should be more option under ban IP. Should be a possibility to add custom message for single IP BAN or multipe range IP BAN, should be added if ban an IP from the full server or just in one website or Webuzo log in area. Should be added a possibility to receive an email notification when an admin logged in. Just suggestions for security. What happen if, as in my case, I ban an hacker IP and this is redirected to webuzo default page where Hacker can now know user are with Webuzo control panel and also know where the log in form is because is showed in that page how to log in in the admin panel. That Hacker from scanning in the wordpress website and try to do bad action... now as is Banned see the Webuzo Default page who tell also how to access where access in the Webuzo admin area. Sure Hacker don't have the password but can set a robot for try all username an password (Brute force log in) ... So user will not know there are robot who try day and night to guess password. How Webuzo manage this case? With and what security control are done? Also if Hacker is able to log in no email notification is send so Hacker can do what it want. Tomorrow if notification will be added... If I can log in in the admin Webuzo panel and want expire all session of admin connected (Hacker) if just change password Hacker from another PC will be logged out or can continue to do dangerous actions? This is security ----------------------- PeopleInside Web, security, open source passionate. |
Posted By: peopleinside on April 25, 2016, 8:30 am | Post: 3 |
You can set SMTP but when you save SMTP setting there are no done any check SMTP settings are correct so if you do wrong you will unable to recover your password or receive email from Webuzo.
I don't know if this issue is now solved but is a very bad things. Before activate SMTP settings should be checked if log in credential SMTP are correct. Also I have tested in the past, IF I log in in Webuzo in a PC than in other PC i log in and change Webuzo password the other PC session is not closed but can continue to do things and action until session is not expired. This is bad. Quote but for this System admin should monitor access logs all the for this
purpose and take immediate action as you keep your server up 24 hrs a day you are responsible for this . Take actions? As I told also if you change Webuzo password active session are not closed. I cannot stay 24 h / 24 logged into Webuzo for see if something is wrong. For that reason should be 2 Factor authentication and possibility to activate email notification of access to Webuzo, of course the possibility to have it disable for who don't want this. So future improvement in security like Two factor authentication and fix the log in expire issue will be give more security to the control panel. :-) Thank you ----------------------- PeopleInside Web, security, open source passionate. |
Posted By: peopleinside on April 25, 2016, 3:50 pm | Post: 5 |
Thanks, as for what I know is not possibile customize (in my case) username of Webuzo.
----------------------- PeopleInside Web, security, open source passionate. |
Posted By: peopleinside on May 31, 2016, 7:22 am | Post: 8 |
Quote From : nikhil.m May 31, 2016, 6:47 am Hi fintec-mgmt,
Webuzo must have removed the special character from the password string , if you face this issue in future try entering the password without the special character. I think this is very stupid and dangerous for security. This is the most bad things I heard from Webuzo. Please insert again special character!!!! ----------------------- PeopleInside Web, security, open source passionate. |
Posted By: peopleinside on May 31, 2016, 7:37 am | Post: 9 |
I noticed special Character are not removed from Webuzo password but only Code $ Code $ ----------------------- PeopleInside Web, security, open source passionate. |