[wp-hackers] protecting wp-content/plugins ?
Alan J Castonguay
alan at verselogic.net
Fri Aug 24 17:23:17 GMT 2007
On 23-Aug-07, at 7:12 PM, Tom Barta wrote:
> If I have a PHP script that is vulnerable when executed
> directly, but then I move it out of the document root, it can no
> longer be
> executed directly (via HTTP requests) and therefore is no longer a
> real
> vulnerability (assuming it's secure as a library).
Wordpress Plugins, assuming they're active, are included when someone
requests any page on the blog (eg http://example.com/blog/
index.php ). Most anything that's exploitable when called directly
with some data, like in a get string (eg http://example.com/blog/wp-
content/plugins/badplugin.php?shellcode=rm%20-rf%20/ ) will still be
exploitable when called via Wordpress (eg http://example.com/blog/
index.php?shellcode=rm%20-rf%20/ ).
The only situation I can think of where your cloaking suggestion
makes sense, is one where a plugin does something when executed
directly that it doesn't do when included in Wordpress. Aka, it
checks to see how it was called, and executes a different code path
based on that. If it's doing this, it fits into Otto's B scenario
above: designed to do just that.
In the case of WP, there is no point in scanning for directly-
requestable exploitable plugins. An attacker don't need to know
whether an exploit exists before attempting it. Hiding direct file
access does not make you any more or less secure.
Alan J Castonguay
More information about the wp-hackers
mailing list