[wp-hackers] protecting wp-content/plugins ?

Alan J Castonguay alan at verselogic.net
Fri Aug 24 17:23:17 GMT 2007

On 23-Aug-07, at 7:12 PM, Tom Barta wrote:

> If I have a PHP script that is vulnerable when executed
> directly, but then I move it out of the document root, it can no  
> longer be
> executed directly (via HTTP requests) and therefore is no longer a  
> real
> vulnerability (assuming it's secure as a library).

Wordpress Plugins, assuming they're active, are included when someone  
requests any page on the blog (eg http://example.com/blog/ 
index.php ). Most anything that's exploitable when called directly  
with some data, like in a get string (eg http://example.com/blog/wp- 
content/plugins/badplugin.php?shellcode=rm%20-rf%20/ ) will still be  
exploitable when called via Wordpress (eg http://example.com/blog/ 
index.php?shellcode=rm%20-rf%20/ ).

The only situation I can think of where your cloaking suggestion  
makes sense, is one where a plugin does something when executed  
directly that it doesn't do when included in Wordpress. Aka, it  
checks to see how it was called, and executes a different code path  
based on that. If it's doing this, it fits into Otto's B scenario  
above: designed to do just that.

In the case of WP, there is no point in scanning for directly- 
requestable exploitable plugins. An attacker don't need to know  
whether an exploit exists before attempting it. Hiding direct file  
access does not make you any more or less secure.

Alan J Castonguay

More information about the wp-hackers mailing list