[wp-trac] [WordPress Trac] #9185: cordon off all non-entry points from the public

WordPress Trac wp-trac at lists.automattic.com
Fri Feb 20 04:16:23 GMT 2009

#9185: cordon off all non-entry points from the public
 Reporter:  jidanni       |       Owner:  ryan
     Type:  defect (bug)  |      Status:  new 
 Priority:  normal        |   Milestone:  2.8 
Component:  Security      |     Version:  2.7 
 Severity:  normal        |    Keywords:      
 Gentlemen, I just realized that anybody can go prancing around
 the whole file tree, executing php programs left and right.
 Browse your
 http://example.net/blog/wp-admin/includes/file.php ...
 Fatal error: Call to undefined function __() in ...file.php on line 11
 each file will generally produce a different error message.
 We are very very lucky nothing worse happens here, allowing the public
 to randomly execute internal components of wordpress that were never
 intended to be executed separately, even by the administrator.

 Compare this to !MediaWiki. No idle executing random PHP files allowed:
 $ find * -name .htaccess
 $ find * -name .htaccess|xargs cat|sort -u
 Deny from all
 And for individual files, we observe
 die( "This file is part of MediaWiki, it is not a valid entry point" );
 Now you might say "go make your own .htaccess files or use a plugin."
 However I say the onus is on the core team to identify the entry
 points to be allowed, and cordon the rest off like !MediaWiki does!

Ticket URL: <http://core.trac.wordpress.org/ticket/9185>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list