[wp-trac] [WordPress Trac] #19235: Turn ms-files.php off by default

WordPress Trac wp-trac at lists.automattic.com
Mon Feb 20 00:42:07 UTC 2012


#19235: Turn ms-files.php off by default
-------------------------+--------------------
 Reporter:  nacin        |       Owner:
     Type:  enhancement  |      Status:  new
 Priority:  normal       |   Milestone:  3.4
Component:  Multisite    |     Version:  3.3.1
 Severity:  normal       |  Resolution:
 Keywords:  3.4-early    |
-------------------------+--------------------

Comment (by juliobox):

 Replying to [comment:26 wpmuguru]:
 > Replying to [comment:25 juliobox]:
 > > About Security, my view :
 > > Test: http://hollywoodpq.com/wp-content/blogs.dir/2/files/obm-
 gallery/widgetCache.php [[BR]]
 > > Now just remove "wp-content/blogs.dir/2/" you got now: [[BR]]
 > > New test: http://hollywoodpq.com/files/obm-gallery/widgetCache.php
 [[BR]]
 > > [[BR]]
 > > Php files are downloadables ? Damn . . .
 > > What do you think about that ?
 > > [[BR]]
 > > ''ps: Demo site found with google.''[[BR]]
 > > ,,''Julio - Web Security Consultant - boiteaweb.fr'',,
 >
 > Why are you putting PHP files in your media folders? If you are going to
 upload PHP files to your media folders don't expect WP security to protect
 your site.
 >
 > WP does not allow a user to upload PHP files to the media folder.
 I do not put PHP files, but people and plugins are doing it.[[BR]]
 I found some plugins which copy some php files also, just google some
 dorks.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/19235#comment:27>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list