[wp-trac] Re: [WordPress Trac] #6871: Plugins without headers don't show in the plugins page, keeping some exploits hidden

WordPress Trac wp-trac at lists.automattic.com
Thu May 1 12:52:10 GMT 2008


#6871: Plugins without headers don't show in the plugins page, keeping some
exploits hidden
------------------------------+---------------------------------------------
 Reporter:  guillep2k         |        Owner:  anonymous
     Type:  defect            |       Status:  new      
 Priority:  high              |    Milestone:  2.5.2    
Component:  Security          |      Version:  2.5      
 Severity:  critical          |   Resolution:           
 Keywords:  exploit security  |  
------------------------------+---------------------------------------------
Comment (by guillep2k):

 Hi, DD32. Your method using strpos is better indeed, although it would
 rule out any strange plugin name like 'my...'. Perhaps going a little
 deeper in the same direction?:

 {{{
 strpos($plugin,'/../') === false && substr($plugin,0,3) != '../'
 }}}

 About the patch you wrote before, I think I tested it incorrectly. I
 manually changed the serialized array from active_plugins using phpMyAdmin
 and I inadvertently left two elements with index [0], so my fake plugin
 never existed in the first place. Sorry about that. It does work as
 expected. :)

-- 
Ticket URL: <http://trac.wordpress.org/ticket/6871#comment:10>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list