[wp-trac] Re: [WordPress Trac] #9164: #6871 Regression for Plugin
Dir
WordPress Trac
wp-trac at lists.automattic.com
Thu Feb 19 15:14:00 GMT 2009
#9164: #6871 Regression for Plugin Dir
--------------------------+-------------------------------------------------
Reporter: hakre | Owner: ryan
Type: defect (bug) | Status: new
Priority: high | Milestone: 2.7.2
Component: Security | Version: 2.7
Severity: normal | Keywords: 2nd-opinion dev-feedback
--------------------------+-------------------------------------------------
Comment(by hakre):
Well, #687 fixed that exact attack, but if you use the same attack while
placing the payload inside the plugins path somewhere, you are still free
to go. That is what I called the Rergression. Kinda another vector
ingnored.
The Admin Plugin Page only checks the Plugins it finds in the filesystem.
But that are not all Plugins that are active. Active Plugins are those
referenced as the option "active_plugins" in the database.
Because the Admin Page does not check those values, it fails to get
attention about plugins that are activated insecurely through direct
option value access.
This technique is used to inject malicious code. Since the Plugin Check
can not decide wether or not the code loaded by a plugin is malicous or
not, the Admin Page should at least list all _activated_ plugins, not only
those which it auto-discoveres on filesystem and also set as actived.
Do you understand what I mean?
--
Ticket URL: <http://core.trac.wordpress.org/ticket/9164#comment:2>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list