[wp-trac] Re: [WordPress Trac] #5174: If plugin details cleared
while activated, "impossible" to deactivate
WordPress Trac
wp-trac at lists.automattic.com
Thu Oct 11 17:05:21 GMT 2007
#5174: If plugin details cleared while activated, "impossible" to deactivate
----------------------------+-----------------------------------------------
Reporter: Viper007Bond | Owner: anonymous
Type: defect | Status: new
Priority: lowest | Milestone: 2.5
Component: Administration | Version: 2.3
Severity: normal | Resolution:
Keywords: needs-patch |
----------------------------+-----------------------------------------------
Comment (by jaredbangs):
Yeah, I guess it boils down to the fact that if your file permissions are
loose enough to allow plugin code to write and/or modify files you're
pretty much screwed in any case, even without this bug(?) / issue.
I wrote a quick proof of concept plugin that does what I talked about
above: creates another plugin with the same name, activates it, and then
hides itself, so that it appears to the user that they just activated the
one they thought they did, and if they try to deactivate, they're really
only deactivating the dummy one, while the
original remains active and hidden. I can post it if anyone's interested.
Following up on what santosj said above, it could get even worse and
harder to detect. Plugins could have a short line buried within them to
download new code and use it to modify some other plugin that the user has
already activated (such as akismet) and then clean up its tracks by
modifying itself so nothing looks out of the ordinary.
Such behavior can be easily prevented by implementing proper file
permissions, but I'm not sure what WP can do about that, other than maybe
warn the user if they are open to this vulnerability.
But (getting back to the original bug) it probably would be good for the
plugin list to always include active plugins without relying (completely)
on the data in the plugin files themselves.
--
Ticket URL: <http://trac.wordpress.org/ticket/5174#comment:3>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list