[wp-trac] Re: [WordPress Trac] #6871: Plugins without headers don't show in the plugins page, keeping some exploits hidden

WordPress Trac wp-trac at lists.automattic.com
Thu May 1 01:05:52 GMT 2008 

#6871: Plugins without headers don't show in the plugins page, keeping some
exploits hidden
------------------------------+---------------------------------------------
 Reporter:  guillep2k         |        Owner:  anonymous
     Type:  defect            |       Status:  new      
 Priority:  high              |    Milestone:  2.5.2    
Component:  Security          |      Version:  2.5      
 Severity:  critical          |   Resolution:           
 Keywords:  exploit security  |  
------------------------------+---------------------------------------------
Comment (by guillep2k):

 OK, you are right. After checking what the 6871.diff patch does I don't
 think it would be of any help for any kind of attack. It seems to have
 some error too, since it didn't remove any plugins from the active_plugins
 option I faked to test with, nor showed any messages at the plugins admin
 page. Instead, please consider these changes (sorry, I don't have an SVN
 client for the moment, I performed a simple diff):

 wp-settings.php
 {{{
 355,358c355,356
 <               foreach ($current_plugins as $plugin) {
 <                       if ('' != $plugin && file_exists(ABSPATH .
 PLUGINDIR . '/' . $plugin))
 <                               include_once(ABSPATH . PLUGINDIR . '/' .
 $plugin);
 <               }
 ---
 >               foreach ($current_plugins as $plugin)
 >                       wp_validate_load_plugin($plugin);
 }}}

 wp-includes/functions.php
 {{{
 1751a1752,1766
 > /**
 >  * wp_validate_load_plugin() - Loads a plugin only if it exists below
 the plugins directory
 >  *
 >  * @param string $plugin e.g. akismet/akismet.php
 >  * @return bool
 >  */
 > function wp_validate_load_plugin($plugin) {
 >       $ppath = str_replace('\\','/',ABSPATH . PLUGINDIR) . '/';
 >       if ('' != $plugin && file_exists($ppath . $plugin) &&
 >               str_replace('\\','/',substr(realpath($ppath .
 $plugin),0,strlen($ppath))) == $ppath) {
 >               include_once($ppath . $plugin);
 >               return true;
 >       } else return false;
 > }
 >
 }}}

 I think this would be effective protection for future attacks of this
 kind, since the attacker doesn't have full writing permission on the file
 system until the plugin is installed and executed; they can only write
 temporary files, and PHP code can only be executed after SQL injection by
 marking their temporary file as the plugin. This change eliminates the
 possibility of executing plugins outside the plugin directory. Let me hear
 your thoughts.

 Guille

-- 
Ticket URL: <http://trac.wordpress.org/ticket/6871#comment:8>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list