[wp-trac] Re: [WordPress Trac] #6871: Plugins without headers don't show in the plugins page, keeping some exploits hidden

WordPress Trac wp-trac at lists.automattic.com
Wed Jul 16 00:39:37 GMT 2008 

#6871: Plugins without headers don't show in the plugins page, keeping some
exploits hidden
------------------------------------------------------------+---------------
 Reporter:  guillep2k                                       |        Owner:  guillep2k
     Type:  defect                                          |       Status:  assigned 
 Priority:  high                                            |    Milestone:  2.6.1    
Component:  Security                                        |      Version:  2.6      
 Severity:  critical                                        |   Resolution:           
 Keywords:  exploit security has-patch dev-feedback tested  |  
------------------------------------------------------------+---------------
Changes (by guillep2k):

  * keywords:  exploit security has-patch dev-feedback => exploit security
               has-patch dev-feedback tested

Comment:

 In some aspects you are right, santosj; most validations should be made in
 the plugins page, but this one is so important that should be performed
 ''every time''. The exploit I'm trying to prevent is a real world exploit
 that happened to at least three blogs of my knowledge and was performed
 through a bug in TinyMCE. The injected plugin was not validated and
 serious damage could have happened if the plugin was a little more
 aggresive. Such damage would have occurred '''way before''' the user had
 any chance to visit the plugins page which, by the way, noone visits
 regularly once the plugins they need are in place and working.

 Anyway, what I'm trying to add to the wp-settings.php file (the
 'performance sensitive' change) is just some strpos() and str_replace()
 function calls:

 {{{
 if( __existing_validation__ && \
     strpos(str_replace('\\','/','/'.$plugin),'/../') && \
     __existing_validation__ ) {
     ...
 }
 }}}

 I doubt anyone would notice such a small addition.

 I'm adding the "6871 version 4 for 2.6.diff" file after this comment. I
 tested it with version 2.6 right out of the SVN tags/2.6 branch (8342).

-- 
Ticket URL: <http://trac.wordpress.org/ticket/6871#comment:18>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list