[wp-trac] [WordPress Trac] #9406: harden the security of the
active_plugins array
WordPress Trac
wp-trac at lists.automattic.com
Sat Mar 28 09:36:05 GMT 2009
#9406: harden the security of the active_plugins array
-------------------------------+--------------------------------------------
Reporter: Denis-de-Bernardy | Owner: ryan
Type: defect (bug) | Status: new
Priority: high | Milestone: 2.7.2
Component: Security | Version:
Severity: major | Keywords:
-------------------------------+--------------------------------------------
In the past few weeks I've been assisting a couple of users whose sites
got hacked. Granted, they're at fault, and they had not upgraded their
sites.
It occurred to me, however, that a simple tweak to the WP source code
would have gone a great length to minimize the impact of their site
getting hacked. Specifically, every hacked site I've bumped into
ultimately took advantage of the active_plugins array, as follows:
{{{
include_once(WP_PLUGIN_DIR . '/' . $plugin);
}}}
The $plugin is checked against for dots, and the like, but that definitely
doesn't seem to be enough.
Why are we not validating that the plugin files ends with .php? It would
prevent hackers from including txt, bak, jpg and whatnot types of files...
This check should be done immediately before the plugin is included.
Along the same lines, the uploads folder should be validated to make sure
it doesn't look fishy before it gets used.
Fishy looking files and values should not just be rejected -- the site's
admin should additionally get a hourly email until he has fixed the
issues.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/9406>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list