[wp-trac] Re: [WordPress Trac] #6871: Plugins without headers don't
show in the plugins page, keeping some exploits hidden
WordPress Trac
wp-trac at lists.automattic.com
Thu May 1 01:05:52 GMT 2008
#6871: Plugins without headers don't show in the plugins page, keeping some
exploits hidden
------------------------------+---------------------------------------------
Reporter: guillep2k | Owner: anonymous
Type: defect | Status: new
Priority: high | Milestone: 2.5.2
Component: Security | Version: 2.5
Severity: critical | Resolution:
Keywords: exploit security |
------------------------------+---------------------------------------------
Comment (by guillep2k):
OK, you are right. After checking what the 6871.diff patch does I don't
think it would be of any help for any kind of attack. It seems to have
some error too, since it didn't remove any plugins from the active_plugins
option I faked to test with, nor showed any messages at the plugins admin
page. Instead, please consider these changes (sorry, I don't have an SVN
client for the moment, I performed a simple diff):
wp-settings.php
{{{
355,358c355,356
< foreach ($current_plugins as $plugin) {
< if ('' != $plugin && file_exists(ABSPATH .
PLUGINDIR . '/' . $plugin))
< include_once(ABSPATH . PLUGINDIR . '/' .
$plugin);
< }
---
> foreach ($current_plugins as $plugin)
> wp_validate_load_plugin($plugin);
}}}
wp-includes/functions.php
{{{
1751a1752,1766
> /**
> * wp_validate_load_plugin() - Loads a plugin only if it exists below
the plugins directory
> *
> * @param string $plugin e.g. akismet/akismet.php
> * @return bool
> */
> function wp_validate_load_plugin($plugin) {
> $ppath = str_replace('\\','/',ABSPATH . PLUGINDIR) . '/';
> if ('' != $plugin && file_exists($ppath . $plugin) &&
> str_replace('\\','/',substr(realpath($ppath .
$plugin),0,strlen($ppath))) == $ppath) {
> include_once($ppath . $plugin);
> return true;
> } else return false;
> }
>
}}}
I think this would be effective protection for future attacks of this
kind, since the attacker doesn't have full writing permission on the file
system until the plugin is installed and executed; they can only write
temporary files, and PHP code can only be executed after SQL injection by
marking their temporary file as the plugin. This change eliminates the
possibility of executing plugins outside the plugin directory. Let me hear
your thoughts.
Guille
--
Ticket URL: <http://trac.wordpress.org/ticket/6871#comment:8>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list