[wp-trac] [WordPress Trac] #26273: If possible, change file permissions on deactivated plugins so they're not web-accessible.
WordPress Trac
noreply at wordpress.org
Tue Nov 26 19:11:03 UTC 2013
#26273: If possible, change file permissions on deactivated plugins so they're not
web-accessible.
----------------------------+-----------------------------
Reporter: kirrus | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Administration | Version:
Severity: minor | Keywords:
----------------------------+-----------------------------
Basically, if a plugin is web-accessible, but not active, users are less
likely to upgrade it. Additionally, having unused third-party code lying
around web-accessible isn't nominal.
It'd be nice if wordpress, as it de-activated a plugin on a user request
from the admin panel, and if it was able to, automatically changed the
file permissions (chmod in linux) to 000, such that the plugin file
wouldn't be accessible directly remotely.
That would reduce the code footprint, and so negate any security
vulnerabilities in the inactive plugins.
This is mostly just a would-be-nice, but it could help reduce the likely
good of automated attacks coming off - like all the previous Timthumb
code, which was distributed widely with remote code execution vuln.
(thumb.php)
--
Ticket URL: <http://core.trac.wordpress.org/ticket/26273>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list