[wp-trac] [WordPress Trac] #6871: Plugins without headers don't
show in the plugins page, keeping some exploits hidden
WordPress Trac
wp-trac at lists.automattic.com
Tue Apr 29 11:08:40 GMT 2008
#6871: Plugins without headers don't show in the plugins page, keeping some
exploits hidden
-----------------------+----------------------------------------------------
Reporter: guillep2k | Owner: anonymous
Type: defect | Status: new
Priority: high | Milestone: 2.5.2
Component: Security | Version: 2.5
Severity: critical | Keywords: exploit
-----------------------+----------------------------------------------------
There's a new exploit that leaves a bogus plugin in the active_plugins
option which doesn't show in the plugins page. The plugin (in my case) was
at:
../../../../../../../../../../../../../../../../../../../../../../tmp/tmp4Z0MYa/sess_56b48e283b26c4dd342c25be2e4d22e7
You can see more info at:
http://wordpress.org/support/topic/169246?replies=8#post-746480
(my reply as guillep2k)
WordPress should show SOME information about invalid/incomplete plugins in
the plugins page in order to quickly detect this situation AND quickly
disable them. More information in the Dashboard would be great too.
--
Ticket URL: <http://trac.wordpress.org/ticket/6871>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list