[wp-trac] Re: [WordPress Trac] #5174: If plugin details cleared while activated, "impossible" to deactivate

WordPress Trac wp-trac at lists.automattic.com
Thu Oct 11 17:05:21 GMT 2007

#5174: If plugin details cleared while activated, "impossible" to deactivate
 Reporter:  Viper007Bond    |        Owner:  anonymous
     Type:  defect          |       Status:  new      
 Priority:  lowest          |    Milestone:  2.5      
Component:  Administration  |      Version:  2.3      
 Severity:  normal          |   Resolution:           
 Keywords:  needs-patch     |  
Comment (by jaredbangs):

 Yeah, I guess it boils down to the fact that if your file permissions are
 loose enough to allow plugin code to write and/or modify files you're
 pretty much screwed in any case, even without this bug(?) / issue.

 I wrote a quick proof of concept plugin that does what I talked about
 above: creates another plugin with the same name, activates it, and then
 hides itself, so that it appears to the user that they just activated the
 one they thought they did, and if they try to deactivate, they're really
 only deactivating the dummy one, while the
 original remains active and hidden. I can post it if anyone's interested.

 Following up on what santosj said above, it could get even worse and
 harder to detect. Plugins could have a short line buried within them to
 download new code and use it to modify some other plugin that the user has
 already activated (such as akismet) and then clean up its tracks by
 modifying itself so nothing looks out of the ordinary.

 Such behavior can be easily prevented by implementing proper file
 permissions, but I'm not sure what WP can do about that, other than maybe
 warn the user if they are open to this vulnerability.

 But (getting back to the original bug) it probably would be good for the
 plugin list to always include active plugins without relying (completely)
 on the data in the plugin files themselves.

Ticket URL: <http://trac.wordpress.org/ticket/5174#comment:3>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list