[wp-trac] Re: [WordPress Trac] #6871: Plugins without headers don't
show in the plugins page, keeping some exploits hidden
WordPress Trac
wp-trac at lists.automattic.com
Thu May 1 12:52:10 GMT 2008
#6871: Plugins without headers don't show in the plugins page, keeping some
exploits hidden
------------------------------+---------------------------------------------
Reporter: guillep2k | Owner: anonymous
Type: defect | Status: new
Priority: high | Milestone: 2.5.2
Component: Security | Version: 2.5
Severity: critical | Resolution:
Keywords: exploit security |
------------------------------+---------------------------------------------
Comment (by guillep2k):
Hi, DD32. Your method using strpos is better indeed, although it would
rule out any strange plugin name like 'my...'. Perhaps going a little
deeper in the same direction?:
{{{
strpos($plugin,'/../') === false && substr($plugin,0,3) != '../'
}}}
About the patch you wrote before, I think I tested it incorrectly. I
manually changed the serialized array from active_plugins using phpMyAdmin
and I inadvertently left two elements with index [0], so my fake plugin
never existed in the first place. Sorry about that. It does work as
expected. :)
--
Ticket URL: <http://trac.wordpress.org/ticket/6871#comment:10>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list