[wp-hackers] protecting wp-content/plugins ?

[Tom Barta]

On 8/22/07, Otto <otto at ottodestruct.com> wrote:
>
> Knowing whether the plugin exists on the site or not is irrelevant
> unless the pluign has a security hole. They're not going to "scan" for
> plugins that don't have known exploitable holes. So we can discount
> all plugins that do basic stuff like defining functions and using
> hooks. This is 80-90% of all plugins. Whether you know they are there
> or not, if they're not exploitable, it makes absolutely zero
> difference if the attacker knows of it.


Even so, the way that Wordpress puts library scripts (e.g. not to be
accessed directly) into the document root is fundamentally a bad idea:
1) if your server setup breaks for whatever reason, it might end up
delivering script source instead of executing scripts (more of an issue with
someone writing custom plugins than with publicly-available plugins)
2) the discovery of a new exploit is suddenly troublesome if the PHP script
is web-accessible, making any vulnerabilities that are found potentially
more damaging
3) it provides extra information that no one *needs* to know.  Maybe I'm
paranoid, but why bother broadcasting something when there's nothing that
should be told?

Sure, perfectly-written plugins don't have any issues, but most computer
security is based around layers of protection.  If your only protection is
"plugins probably don't have bugs" then you're worse off than if your
protection is "plugins probably don't have bugs, and even if they did, most
of them wouldn't be exploitable since they're not web-accessible".

Of course, this is an argument against a bit more of wordpress's
architecture than the directory-listing issue.

-- 
Tom Barta