[wp-hackers] Possible vulnerability with the plugin system

[Stephen Rider]

I would think that anything within a subsidiary file should be  
included in a function.  I do this myself -- From the main plugin  
file I include another file and then call the function within that file.

Also, in my multiblog system the config files (with sensitive  
database login info) all start with this:

<?php
if ( !defined('ABSPATH') ) exit();	// sanity check

...so that they can't effectively be called directly, but only from  
within WordPress.

Am I mistaken in believing that this kind of thing is just basic PHP  
security?  (No offense intended in that question, John! :) )

Stephen

On Nov 30, 2007, at 12:34 PM, John Blackbourn wrote:

> It seems that any file contained anywhere within the
> `wp-content/plugins/` directory can be included (that's include()-ed)
> into the wp-admin screen — with full access to all the WordPress
> functions — just by passing it as the `page` parameter in the wp-admin
> URL.

> So what to do? When writing a plugin, if you use additional files for
> organisational purposes, make sure that if any files are called using
> this method, that it doesn't do anything unexpected.