[wp-trac] Re: [WordPress Trac] #6871: Plugins without headers don't
show in the plugins page, keeping some exploits hidden
WordPress Trac
wp-trac at lists.automattic.com
Thu May 1 04:59:11 GMT 2008
#6871: Plugins without headers don't show in the plugins page, keeping some
exploits hidden
------------------------------+---------------------------------------------
Reporter: guillep2k | Owner: anonymous
Type: defect | Status: new
Priority: high | Milestone: 2.5.2
Component: Security | Version: 2.5
Severity: critical | Resolution:
Keywords: exploit security |
------------------------------+---------------------------------------------
Comment (by DD32):
I think a combination would be good.
My patch was simply designed to deactivate invalid plugins, not to protect
from them being loaded as such, Allthough it would be useful in cleaning
up afterwards for some instances.
There are problems using realpath on windows platforms too, and
unfortunately in the current instance using plugin_basename() would be
useless(As it only works with a correct input) (By problems with realpath,
I mean if its not a valid path, it'll return false, And AFAIK, it can
cause extra IO in some cases, I'm not 100% sure on that, but it seems not
needed in this case anyway)
Something like this could be used instead:
{{{
foreach ($current_plugins as $plugin)
if ('' != $plugin && strpos($plugin, '..') === false &&
file_exists(ABSPATH . PLUGINDIR . '/' . $plugin))
include_once(ABSPATH . PLUGINDIR . '/' . $plugin);
}}}
that would prevent loading of any that had a obviously bad path, Then the
plugin would be blown from the active plugins list upon loading the plugin
admin (Assuming it hadnt attempted to filter itself out, But it wouldnt be
a problem anymore, as the exploit code shouldn't be loaded with the
plugins).
It'll still include any malicious code which is inside the plugin
directory however, Its not possible to perform all the checks for a proper
plugin on every page load in those cases, its just too much loss of
performance.
>It seems to have some error too, since it didn't remove any plugins from
the active_plugins option I faked to test with, nor showed any messages at
the plugins admin page.
Not sure why.. I tested by activating a plugin and then removing its
metadata. Just tried like this:
{{{
$current = get_option('active_plugins');
var_dump($current);
$current[] =
'../../../../../../../../../../../../../../../../../../../../../../tmp/tmp4Z0MYa/sess_56b48e283b26c4dd342c25be2e4d22e7';
update_option('active_plugins', $current);
$current = get_option('active_plugins');
var_dump($current);
$invalid = validate_active_plugins();
var_dump($invalid);
$current = get_option('active_plugins');
var_dump($current);
?>
array
0 => string 'add-from-server/add-from-server.php' (length=35)
array
0 => string 'add-from-server/add-from-server.php' (length=35)
1 => string
'../../../../../../../../../../../../../../../../../../../../../../tmp/tmp4Z0MYa/sess_56b48e283b26c4dd342c25be2e4d22e7'
(length=117)
array
'../../../../../../../../../../../../../../../../../../../../../../tmp/tmp4Z0MYa/sess_56b48e283b26c4dd342c25be2e4d22e7'
=>
object(WP_Error)[206]
public 'errors' =>
array
'plugin_invalid' =>
array
0 => string 'Invalid plugin.' (length=15)
public 'error_data' =>
array
empty
array
0 => string 'add-from-server/add-from-server.php' (length=35)
}}}
so it appears to work for me.
--
Ticket URL: <http://trac.wordpress.org/ticket/6871#comment:9>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list