[wp-trac] Re: [WordPress Trac] #6871: Plugins without headers don't
show in the plugins page, keeping some exploits hidden
WordPress Trac
wp-trac at lists.automattic.com
Tue Apr 29 14:23:35 GMT 2008
#6871: Plugins without headers don't show in the plugins page, keeping some
exploits hidden
------------------------------+---------------------------------------------
Reporter: guillep2k | Owner: anonymous
Type: defect | Status: new
Priority: high | Milestone: 2.5.2
Component: Security | Version: 2.5
Severity: critical | Resolution:
Keywords: exploit security |
------------------------------+---------------------------------------------
Comment (by filosofo):
I think it's a good idea to deactivate invalid plugins, but I'm not sure
that this will provide much protection from this kind of attack. Once an
attacker has managed to include his "plugin" in the list of active
plugins, all he has to do is provide a legitimate header format, then
filter the output buffer to hide all mention of it from the admin.
Since he can apparently write to your filesystem and modify your database,
a rogue plugin is really just the beginning of your worries.
--
Ticket URL: <http://trac.wordpress.org/ticket/6871#comment:3>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list