[wp-trac] [WordPress Trac] #19235: Turn ms-files.php off by default
WordPress Trac
wp-trac at lists.automattic.com
Mon Feb 20 00:38:39 UTC 2012
#19235: Turn ms-files.php off by default
-------------------------+--------------------
Reporter: nacin | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: 3.4
Component: Multisite | Version: 3.3.1
Severity: normal | Resolution:
Keywords: 3.4-early |
-------------------------+--------------------
Changes (by wpmuguru):
* component: Security => Multisite
* severity: critical => normal
Comment:
Replying to [comment:25 juliobox]:
> About Security, my view :
> Test: http://hollywoodpq.com/wp-content/blogs.dir/2/files/obm-
gallery/widgetCache.php [[BR]]
> Now just remove "wp-content/blogs.dir/2/" you got now: [[BR]]
> New test: http://hollywoodpq.com/files/obm-gallery/widgetCache.php
[[BR]]
> [[BR]]
> Php files are downloadables ? Damn . . .
> What do you think about that ?
> [[BR]]
> ''ps: Demo site found with google.''[[BR]]
> ,,''Julio - Web Security Consultant - boiteaweb.fr'',,
Why are you putting PHP files in your media folders? If you are going to
upload PHP files to your media folders don't expect WP security to protect
your site.
WP does not allow a user to upload PHP files to the media folder.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/19235#comment:26>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list