From 62bd8f3e6be3d24d017f5d13365588717c7a4439 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Szekeres=20Ba=CC=81lint?= <szekeres.balint@hps.hu>
Date: Wed, 21 Feb 2018 01:54:13 +0100
Subject: [PATCH] WordPress: fix CVE-2018-6389

---
 public/index.html                          |  2 +-
 public/templates/commands.html             | 27 ++++++++++++++++++----
 public/templates/conf/_wordpress.conf.html |  5 ++++
 3 files changed, 29 insertions(+), 5 deletions(-)

diff --git a/public/index.html b/public/index.html
index f92515d..4de2e35 100644
--- a/public/index.html
+++ b/public/index.html
@@ -293,7 +293,7 @@
 					<div class="col-md-6 col-lg-7 files">
 						<div class="row grid">
 							<div class="grid-sizer col-xl-6"></div>
-							<div ng-if="isHTTPS()" class="grid-item col-xl-12" ng-cloak>
+							<div ng-if="isHTTPS() || isWordPress()" class="grid-item col-xl-12" ng-cloak>
 								<div class="commands">
 									<pre><code class="hljs bash" ng-include="'templates/commands.html'"></code></pre>
 								</div>
diff --git a/public/templates/commands.html b/public/templates/commands.html
index eee5b50..12e703c 100644
--- a/public/templates/commands.html
+++ b/public/templates/commands.html
@@ -1,10 +1,29 @@
-<span class="hljs-comment"># HTTPS: create Diffie-Hellman keys</span>
+<!--
+✔ HTTPS --><span ng-if="isHTTPS()"><!--
+
+--><span class="hljs-comment"># <strong>HTTPS</strong>: create Diffie-Hellman keys</span>
 <span class="hljs-section">openssl dhparam</span> <span class="hljs-attribute">-dsaparam</span> <span class="hljs-attribute">-out</span> /etc/nginx/dhparam.pem <span class="hljs-number">2048</span><!--
 
+--></span><!--
+
+
 ✔ Let's Encrypt --><span ng-if="isLetsEncrypt()">
 
-<span class="hljs-comment"># HTTPS: create ACME-challenge common directory</span>
+<span class="hljs-comment"># <strong>HTTPS</strong>: create ACME-challenge common directory</span>
 <span class="hljs-section">sudo</span> <span class="hljs-attribute">-u</span> {{ data.user }} <span class="hljs-section">sh</span> <span class="hljs-attribute">-c</span> "<span class="hljs-section">mkdir</span> <span class="hljs-attribute">-p</span> /var/www/_letsencrypt"
 
-<span class="hljs-comment"># HTTPS: certbot (obtain certificates)<br># disable before first run: <strong>ssl_certificate</strong>, <strong>ssl_certificate_key</strong>, <strong>ssl_trusted_certificate</strong></span>
-<span class="hljs-section">certbot certonly</span> <span class="hljs-attribute">--webroot</span> <span class="hljs-attribute" tooltips tooltip-template="--domain">-d</span> {{ domain() }} <span class="hljs-attribute" tooltips tooltip-template="--domain">-d</span> www.{{ domain() }}<span ng-if="isCDN()"> <span class="hljs-attribute" tooltips tooltip-template="--domain">-d</span> cdn.{{ domain() }}</span> <span class="hljs-attribute">--email</span> {{ data.email ? data.email : 'hello@' + domain() }} <span class="hljs-attribute" tooltips tooltip-template="--webroot-path">-w</span> /var/www/_letsencrypt <span class="hljs-attribute" tooltips tooltip-template="--non-interactive">-n</span> <span class="hljs-attribute">--agree-tos</span> <span class="hljs-attribute">--force-renewal</span></span>
+<span class="hljs-comment"># <strong>HTTPS</strong>: certbot (obtain certificates)<br># disable before first run: <strong>ssl_certificate</strong>, <strong>ssl_certificate_key</strong>, <strong>ssl_trusted_certificate</strong></span>
+<span class="hljs-section">certbot certonly</span> <span class="hljs-attribute">--webroot</span> <span class="hljs-attribute" tooltips tooltip-template="--domain">-d</span> {{ domain() }} <span class="hljs-attribute" tooltips tooltip-template="--domain">-d</span> www.{{ domain() }}<span ng-if="isCDN()"> <span class="hljs-attribute" tooltips tooltip-template="--domain">-d</span> cdn.{{ domain() }}</span> <span class="hljs-attribute">--email</span> {{ data.email ? data.email : 'hello@' + domain() }} <span class="hljs-attribute" tooltips tooltip-template="--webroot-path">-w</span> /var/www/_letsencrypt <span class="hljs-attribute" tooltips tooltip-template="--non-interactive">-n</span> <span class="hljs-attribute">--agree-tos</span> <span class="hljs-attribute">--force-renewal</span><!--
+
+--></span><!--
+
+
+✔ HTTPS && ✔ WordPress --><span ng-if="isHTTPS() && isWordPress()">
+
+</span><!--
+
+
+✔ WordPress --><span ng-if="isWordPress()"><!--
+
+--><span class="hljs-comment"># <strong>WordPress</strong>: add to <strong>wp-config.php</strong> <small>(<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6389" target="_blank">CVE-2018-6389</a>)</small></span>
+<span class="hljs-section">define(<span class="hljs-string">'CONCATENATE_SCRIPTS'</span>, <span class="hljs-literal">false</span>);</span></span>
diff --git a/public/templates/conf/_wordpress.conf.html b/public/templates/conf/_wordpress.conf.html
index a29ac04..dc00feb 100644
--- a/public/templates/conf/_wordpress.conf.html
+++ b/public/templates/conf/_wordpress.conf.html
@@ -18,6 +18,11 @@ location ~* ^/wp-content/plugins/.*\.(?!{{ extensions.assets }}|{{ extensions.fo
 	deny all;
 }
 
+# disable scripts and styles concat
+location ~* \/wp-admin\/load-(?:scripts|styles)\.php {
+	deny all;
+}
+
 # WordPress stuff
 location ~* ^/(?:xmlrpc\.php|wp-links-opml\.php|wp-config\.php|wp-config-sample\.php|wp-comments-post\.php|readme\.html|license\.txt)$ {
 	deny all;