[wp-hackers] Wordpress File Inclusion

Dougal Campbell dougal at gunters.org
Mon Nov 13 20:49:08 GMT 2006


Ryan Boren wrote:
> Bas Bosman wrote:
>> Has anybody seen this post on the BugTraq mailing list?
>> (Also on: http://www.securityfocus.com/archive/1/451311/30/0/threaded)
>>
>> I'm at work and don't have access to my Wordpress test box, so I haven't
>> verified it yet.
>
> That code is in load_template().
>
> "file" is not a default query var so it should never be in
> $wp_query->query_vars unless a plugin adds it.  We can use a different
> variable name in load_template() for extra safety, I suppose.
> $template_file instead of $file.
>
> I cannot reproduce.
>
> Ryan

Yeah, I can't see any way to exploit anything here unless a plugin or
theme is injecting a 'file' value into wp_query. Should we consider
setting an extract type and/or prefix, just to lessen the possibility
that a plugin or theme could dirty the variable space?

-- 
Dougal Campbell <dougal at gunters.org>
http://dougal.gunters.org/



More information about the wp-hackers mailing list