[wp-trac] Re: [WordPress Trac] #5564: Non Plugin Files Cab Be Easily Included In Current Plugins using database Manipulation

WordPress Trac wp-trac at lists.automattic.com
Wed Jan 2 06:16:46 GMT 2008


#5564: Non Plugin Files Cab Be Easily Included In Current Plugins using database
Manipulation
-------------------------------+--------------------------------------------
 Reporter:  keithdsouza        |        Owner:  anonymous
     Type:  defect             |       Status:  new      
 Priority:  highest omg bbq    |    Milestone:  2.5      
Component:  Security           |      Version:           
 Severity:  critical           |   Resolution:           
 Keywords:  reporter-feedback  |  
-------------------------------+--------------------------------------------
Comment (by darkdragon):

 I agree, but I thought the ticket was more that !WordPress should double
 check that the plugin file is valid (with comments) before including
 during the wp-settings plugin inclusion.

 However, while !WordPress should do this, it really wouldn't prevent
 anything. Like DD32 said, there are other ways to go about this. If a
 hacker is going to go through this method, then I think the hacker is just
 playing with the victim.

 Again, the hacker would have already had to have access to the
 filesystem/database before initiating this run. Well, then again, it would
 be nice to have many layers, but nothing is preventing the hacker from
 adding valid plugin comment information.

 I think it would be quite difficult to fix with very little gain from
 doing so. Not to mention that checking the plugin files on every page load
 could do well to slow down !WordPress.

-- 
Ticket URL: <http://trac.wordpress.org/ticket/5564#comment:5>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list