[wp-trac] Re: [WordPress Trac] #6871: Plugins without headers don't
show in the plugins page, keeping some exploits hidden
WordPress Trac
wp-trac at lists.automattic.com
Fri May 2 01:02:26 GMT 2008
#6871: Plugins without headers don't show in the plugins page, keeping some
exploits hidden
-----------------------------------------------------+----------------------
Reporter: guillep2k | Owner: anonymous
Type: defect | Status: new
Priority: high | Milestone: 2.5.2
Component: Security | Version: 2.5
Severity: critical | Resolution:
Keywords: exploit security has-patch dev-feedback |
-----------------------------------------------------+----------------------
Comment (by guillep2k):
Replying to [comment:12 DD32]:
> 1. {{{substr($plugin,0,3) != '../'}}} is really not needed, Simply
because it should be caught by the other strpos IMO, ./../ is just as
valid, and as such, would be used by any more exploits.
> 1. {{{strpos($plugin,'/../') === false}}} That gets rid of the chance
of someone having multiple dots in the actual filename, But really, Who
does that? Granted, {{{strpos($plugin,'../')}}} might be a better option,
As it catches both cases 2 & 1
> 1. What about on Windows platforms? {{{C:\www\app\..\ }}} is valid, it
resolves to {{{C:\www\}}}
>
Mmmm... how about this?:
{{{
strpos(str_replace('\\','/','/'.$plugin),'/../') === false
}}}
That should take care of all the cases:
..\something --> CATCHED
..\\something --> CATCHED
..//something --> CATCHED
..//something --> CATCHED
something/../something --> CATCHED
something//..//something --> CATCHED
something... --> PASSES
something.../something --> PASSES
..something --> PASSES
--
Ticket URL: <http://trac.wordpress.org/ticket/6871#comment:13>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list