GithubHelp home page GithubHelp logo

secure-xmlrpc's Introduction

Secure XML-RPC

More secure wrapper for the WordPress XML-RPC interface.

Description

Rather than sending usernames and passwords in plain text with every request, we're going to use a set of public/secret keys to hash data and authenticate instead.

On your WordPress profile, you will see a new "Remote Publishing Permissions" section listing out the applications that have permission to publish, along with their public and secret keys.

New applications can be added whenever you want. You can also change the names of applications, or revoke publishing permission by deleting them.

Installation

Manual Installation

  1. Upload the entire /secure-xml-rpc directory to the /wp-content/plugins/ directory.
  2. Activate Secure XML-RPC through the 'Plugins' menu in WordPress.

Frequently Asked Questions

How do I use the new authorization?

The old username/password paradigm can still be used, but will result in a X-Deprecated header being returned by the server.

From now on, you will send an Authorization header. This header will be the publishing application's public key, two pipe (|) characters, and a hash of the application's secret key concatenated with the body of the request.

How do I generate the message hash?

Say your application has the following information:

  • Public Key: b730db0864b0d4453ba6a26ad6613cd4
  • Secret Key: 7647a19f5bf3e9fd001419900ad48a54

And you want to make the following request (whitespace/indentation added for readability, but is removed when calculating hashes):

<?xml version="1.0"?>
<methodCall>
  <methodName>wp.getPosts</methodName>
  <params>
    <param>
      <value><i4>1</i4></value>
    </param>
    <param>
      <value><string></string></value>
    </param>
    <param>
      <value><string></string></value>
    </param>
  </params>
</methodCall>

Note that the second and third parameters (traditionally username and password) are empty. Usernames and passwords can still be specified, but will result in the server returning an X-Deprecated header.

Your Authorization header would thus become:

b730db0864b0d4453ba6a26ad6613cd4||f0b73fddf91b2358bc28faa745c8c25d3b0d9a36f5456e8181154c54874d81e5

The second part of the header is generated in PHP by calculating:

hash( 'sha256', '7647a19f5bf3e9fd001419900ad48a54' . hash( 'sha256', '7647a19f5bf3e9fd001419900ad48a54' . {request_body} ) )

WordPress will read the header and log you in as usual, but you never need to send your password across the wire.

In this paradigm, application secret keys should also be treated as passwords - they are sensitive information!

Why are we using the secret key twice?

Some developers raised concerns about length extension attacks in previous editions of the plugin. While length extension isn't strictly necessary when dealing with XML-based messaging, a double hash helps end the discussion around potentially-related vulnerabilities.

The double-hash is similar to but simpler than HMAC and is fairly easy to implement in any programming language. Just note, PHP's hash() function returns a base64-encoded string, not a raw hash of the data passed in.

Do I have to copy/paste my application keys into remote systems?

Not necessarily.

The latest version of the plugin adds a new XML-RPC method to the system that allows for the generation of user-specific application keys remotely. Please only ever call this method over a secure/trusted network connection when setting up an application for the first time.

Screenshots

  1. The new Remote Publishing Permissions area of the user profile.

Changelog

1.0.0

  • New: Add a custom RPC method for generating application keys remotely.
  • Dev change: Move all functional implementations inside our pseudo-namespace.
  • Dev change: Use a constant-time string comparison method for better security and less data leakage during authentication.
  • Dev change: Use a double-hash to prevent any potential length-extension attacks.

0.1.0

  • First release

Upgrade Notice

1.0.0

The hashing mechanism for generating authentication headers has changed slightly. Please refer to the FAWs for an example of how things work with a double-hash in the newest version.

0.1.0

First Release

Additional Information

Contributors: ericmann Donate link: http://wordpress.org/plugins/secure-xml-rpc/ Tags: xmlrpc, security, oauth, authentication Requires at least: 3.8 Tested up to: 4.0 Stable tag: 1.0.0 License: GPLv2 or later License URI: http://www.gnu.org/licenses/gpl-2.0.html

Lock graphic designed by Scott Lewis from the thenounproject.com

secure-xmlrpc's People

Contributors

ericmann avatar

Stargazers

Cat  avatar Satya van Heummen avatar Falcon avatar Jeremy avatar Pascal Birchler avatar Bastien Abadie avatar Richard Aber avatar Uwe Peuker avatar Aram Zucker-Scharff avatar Christian Foellmann avatar Brad Vincent avatar  avatar John P. Bloch avatar Mike Bijon avatar  avatar Jeremy Herve avatar Dougal Campbell avatar

Watchers

 avatar Mike Bijon avatar James Cloos avatar Stephan Kreutzer avatar  avatar

secure-xmlrpc's Issues

Configure HTTP Authorization header

The problem still exists: If I send the HTTP header "Authorization: ..." on my machine, line 208 of $/includes/XMLRPCS_Profile.php says that $_SERVER['HTTP_AUTHORIZATION'] isn't set and will abort further plugin code execution. How to fix that for an Apache webserver in a secure way? Would a .htaccess on the root directory of the WordPress do it, containing the lines

RewriteEngine on
RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

or would that too use a system environment variable to pass the authorization header on to PHP?

Confused calculating authorization header

Could you please clarify the creation of the Authorization string.

I have checked your sample and couldn't calculate the shown results in many cases (body without white spaces, body with linefeeds, body without linefeeds, ...).

In my real life test i got only error messages caused by wrong password or user name.

Thx

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.