[wp-trac] Re: [WordPress Trac] #6871: Plugins without headers don't show in the plugins page, keeping some exploits hidden

WordPress Trac wp-trac at lists.automattic.com
Thu May 1 00:47:34 GMT 2008 

#6871: Plugins without headers don't show in the plugins page, keeping some
exploits hidden
------------------------------+---------------------------------------------
 Reporter:  guillep2k         |        Owner:  anonymous
     Type:  defect            |       Status:  new      
 Priority:  high              |    Milestone:  2.5.2    
Component:  Security          |      Version:  2.5      
 Severity:  critical          |   Resolution:           
 Keywords:  exploit security  |  
------------------------------+---------------------------------------------
Comment (by DD32):

 > I'm sorry to disagree.

 The only reason i pointed it out was because of 2 things:

  1. The exploit itself can filter the plugins list on access to a page
 which causes invalid plugins to be deactivated. exploit:
 {{{
 If page is going to kill me then
   add_filter('active_plugins', 'Remove myself from the active list for
 that page!');
 end if
 }}}
  1. The exploit itself can reactivate itself in event of deactivation
 {{{
 register_shutdown_function:
 if I am not longer in the active plugins list then
   $current = get_option('active_plugins');
   $current[] = __FILE__;
   update_option('active_plugins', $current);
 endif
 }}}
 Or
 {{{
 add_filter('update_active_plugins'):
 If list does not include me then
   Add myself to the updated list
 end if
 }}}

 Some people are not going to like me posting that as they may feel its
 pointing out how to hide a exploit in wordpress, but anyone with any
 knowledge of WP/filters could figure it out, They definately could (They
 being the exploiters).

 So it protects against the current generation, but it will not protect
 against any of next generation which specifically target !WordPress

 The only reason i set it to 2.6 is as new functionality (Which this is,
 its not just a simple bug fix) goes into the trunk(2.6) branch first for
 testing, and then if its decided it needs to be in the 2.5 branch which is
 bugfixes only, then it gets backported.

 Theres nothing stopping exploits from appending their code to existing
 plugins which are active, appending it to files, or simply inserting the
 file in a place where WordPres sautomatically includes them.

-- 
Ticket URL: <http://trac.wordpress.org/ticket/6871#comment:7>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list