[wp-hackers] protecting wp-content/plugins ?
Alan J Castonguay
alan at verselogic.net
Mon Aug 20 17:29:06 GMT 2007
> Now if you add to this a well configured .htaccess file, the file
> becomes practically invisible.
Returning 404 for direct plugin access does nothing to actually
protect against detection of a known exploitable plugin. It's classic
security through obscurity. In the unlikely case that the plugin is
not dependent on add_action/filter() to bootstrap, but runs code
directly in the global namespace on every page request, then there
could be an exploit in this fashion.
If an attacker knows the common name for an exploitable plugin file
and how it hooks into the public website (given, as the source is
probably available) and that it keys off certain non-validated cookie/
get/post parameters, then all they have to do is construct the URI to
wordpress' index.php and request it.
The best way to protect against this is for the plugin to validate
all access (like to http://example/wp-content/plugins/badplugin.php)
and input (like /index.php?unvalidatedsql=...), and deny anything
that is not specifically desired.
With respect to "knowing the plugins installed is a security risk",
sometimes bloggers make posts like http://www.douglaskarr.com/
2007/04/12/wordpress-what-plugins-am-i-running/ or use plugins like
http://wordpress.org/extend/plugins/wp-pluginsused/ . This knowledge,
together with source should not be sufficient to perform a remote-
More information about the wp-hackers