[wp-trac] [WordPress Trac] #9185: cordon off all non-entry points
from the public
WordPress Trac
wp-trac at lists.automattic.com
Fri Feb 20 04:16:23 GMT 2009
#9185: cordon off all non-entry points from the public
--------------------------+-------------------------------------------------
Reporter: jidanni | Owner: ryan
Type: defect (bug) | Status: new
Priority: normal | Milestone: 2.8
Component: Security | Version: 2.7
Severity: normal | Keywords:
--------------------------+-------------------------------------------------
Gentlemen, I just realized that anybody can go prancing around
the whole file tree, executing php programs left and right.
Browse your
{{{
http://example.net/blog/wp-config.php
http://example.net/blog/wp-admin/includes/
http://example.net/blog/wp-admin/includes/file.php ...
Fatal error: Call to undefined function __() in ...file.php on line 11
each file will generally produce a different error message.
}}}
We are very very lucky nothing worse happens here, allowing the public
to randomly execute internal components of wordpress that were never
intended to be executed separately, even by the administrator.
Compare this to !MediaWiki. No idle executing random PHP files allowed:
{{{
$ find * -name .htaccess
includes/.htaccess
languages/.htaccess
maintenance/archives/.htaccess
maintenance/.htaccess
math/.htaccess
serialized/.htaccess
t/.htaccess
tests/.htaccess
$ find * -name .htaccess|xargs cat|sort -u
Deny from all
}}}
And for individual files, we observe
{{{
die( "This file is part of MediaWiki, it is not a valid entry point" );
}}}
Now you might say "go make your own .htaccess files or use a plugin."
However I say the onus is on the core team to identify the entry
points to be allowed, and cordon the rest off like !MediaWiki does!
--
Ticket URL: <http://core.trac.wordpress.org/ticket/9185>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list