[wp-trac] Re: [WordPress Trac] #6871: Plugins without headers don't show in the plugins page, keeping some exploits hidden

WordPress Trac wp-trac at lists.automattic.com
Tue Apr 29 14:23:35 GMT 2008


#6871: Plugins without headers don't show in the plugins page, keeping some
exploits hidden
------------------------------+---------------------------------------------
 Reporter:  guillep2k         |        Owner:  anonymous
     Type:  defect            |       Status:  new      
 Priority:  high              |    Milestone:  2.5.2    
Component:  Security          |      Version:  2.5      
 Severity:  critical          |   Resolution:           
 Keywords:  exploit security  |  
------------------------------+---------------------------------------------
Comment (by filosofo):

 I think it's a good idea to deactivate invalid plugins, but I'm not sure
 that this will provide much protection from this kind of attack.  Once an
 attacker has managed to include his "plugin" in the list of active
 plugins, all he has to do is provide a legitimate header format, then
 filter the output buffer to hide all mention of it from the admin.

 Since he can apparently write to your filesystem and modify your database,
 a rogue plugin is really just the beginning of your worries.

-- 
Ticket URL: <http://trac.wordpress.org/ticket/6871#comment:3>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list