[wp-trac] Re: [WordPress Trac] #5564: Non Plugin Files Cab Be
Easily Included In Current Plugins using database Manipulation
WordPress Trac
wp-trac at lists.automattic.com
Wed Jan 2 06:16:46 GMT 2008
#5564: Non Plugin Files Cab Be Easily Included In Current Plugins using database
Manipulation
-------------------------------+--------------------------------------------
Reporter: keithdsouza | Owner: anonymous
Type: defect | Status: new
Priority: highest omg bbq | Milestone: 2.5
Component: Security | Version:
Severity: critical | Resolution:
Keywords: reporter-feedback |
-------------------------------+--------------------------------------------
Comment (by darkdragon):
I agree, but I thought the ticket was more that !WordPress should double
check that the plugin file is valid (with comments) before including
during the wp-settings plugin inclusion.
However, while !WordPress should do this, it really wouldn't prevent
anything. Like DD32 said, there are other ways to go about this. If a
hacker is going to go through this method, then I think the hacker is just
playing with the victim.
Again, the hacker would have already had to have access to the
filesystem/database before initiating this run. Well, then again, it would
be nice to have many layers, but nothing is preventing the hacker from
adding valid plugin comment information.
I think it would be quite difficult to fix with very little gain from
doing so. Not to mention that checking the plugin files on every page load
could do well to slow down !WordPress.
--
Ticket URL: <http://trac.wordpress.org/ticket/5564#comment:5>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list