[theme-reviewers] $_SERVER data
Chip Bennett
chip at chipbennett.net
Sat Dec 24 15:39:39 UTC 2011
My understanding of script-kiddie attacks is that they just attempt to drop
their payload, using every possible vector, across a range of IP addresses.
In other words: they're indiscriminate, and usually not smart enough to
test for vulnerabilities before attempting to drop their payload.
(It's the same reason that exposing - or not exposing - the WordPress
version has zero real impact on site security.)
Chip
On Sat, Dec 24, 2011 at 9:36 AM, Rankin, Matthew W. (Student) <
mrankin at my.ccsu.edu> wrote:
> Directly the code isn't a security issue, but I've heard that there are
> bots out there that check the comments.php file for this code. If the bot
> finds this code it then begins to try other attacks. So, while not directly
> a security issue it does attract spam and other ( possibly more damaging )
> attacks.
>
> Also, the code you posted really isn't needed. So, with the code not being
> needed, and it possibly opening a site to other attacks, I'd say that it
> should not be included in themes.
> ------------------------------
> *From:* theme-reviewers-bounces at lists.wordpress.org [
> theme-reviewers-bounces at lists.wordpress.org] on behalf of Chip Bennett [
> chip at chipbennett.net]
> *Sent:* Saturday, December 24, 2011 8:53 AM
> *To:* [theme-reviewers]
> *Subject:* [theme-reviewers] $_SERVER data
>
> Lately, I've been seeing quite a few review comments indicating to
> remove this code, due to security issues:
>
> if ( !empty( $_SERVERSCRIPT_FILENAME?<http://themes.trac.wordpress.org/wiki/SCRIPT_FILENAME> )
> && 'comments.php' == basename( $_SERVERSCRIPT_FILENAME?<http://themes.trac.wordpress.org/wiki/SCRIPT_FILENAME> )
> )
>
> die ( 'Please do not load this page directly. Thanks!' );
>
>
> I don't believe that $_SERVER data used in this manner (i.e. as a
> conditional query, with no data being saved to the DB or output) is a
> security risk. What are your thoughts?
>
> Chip
>
> _______________________________________________
> theme-reviewers mailing list
> theme-reviewers at lists.wordpress.org
> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wordpress.org/pipermail/theme-reviewers/attachments/20111224/efd628d9/attachment.htm>
More information about the theme-reviewers
mailing list