[wp-trac] [WordPress Trac] #19235: Turn ms-files.php off by default
WordPress Trac
wp-trac at lists.automattic.com
Mon Feb 20 00:42:07 UTC 2012
#19235: Turn ms-files.php off by default
-------------------------+--------------------
Reporter: nacin | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: 3.4
Component: Multisite | Version: 3.3.1
Severity: normal | Resolution:
Keywords: 3.4-early |
-------------------------+--------------------
Comment (by juliobox):
Replying to [comment:26 wpmuguru]:
> Replying to [comment:25 juliobox]:
> > About Security, my view :
> > Test: http://hollywoodpq.com/wp-content/blogs.dir/2/files/obm-
gallery/widgetCache.php [[BR]]
> > Now just remove "wp-content/blogs.dir/2/" you got now: [[BR]]
> > New test: http://hollywoodpq.com/files/obm-gallery/widgetCache.php
[[BR]]
> > [[BR]]
> > Php files are downloadables ? Damn . . .
> > What do you think about that ?
> > [[BR]]
> > ''ps: Demo site found with google.''[[BR]]
> > ,,''Julio - Web Security Consultant - boiteaweb.fr'',,
>
> Why are you putting PHP files in your media folders? If you are going to
upload PHP files to your media folders don't expect WP security to protect
your site.
>
> WP does not allow a user to upload PHP files to the media folder.
I do not put PHP files, but people and plugins are doing it.[[BR]]
I found some plugins which copy some php files also, just google some
dorks.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/19235#comment:27>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list