Ticket #4759 (closed enhancement: duplicate)

Opened 1 year ago

Last modified 1 year ago

Blank index.php in wp-content subdirs

Reported by: ozh Assigned to: anonymous
Priority: normal Milestone:
Component: Security Version:
Severity: normal Keywords: index opendir security
Cc:

Description

Ola

Directory /wp-content has had its "Silence is golden" blank index page for years now, why not add this file by default to /plugins & /themes ?

It would greatly reduce script kiddies ability to find exploitable plugins (example)

Change History

08/16/07 17:05:54 changed by zamoose

+1 I concur.

Not sure whether it's worth making "diffs" in this circumstance, really.

08/17/07 13:42:26 changed by docwhat

Would index.html be better than index.php? There would be no risk of any code executing *ever* by accident.

Either way, there should be a comment explaining why the file is blank and that it should be kept that way.

Alternatively, rewrite rules might be better, since you could redirect the user to a legit page (like the root) in case they were walking up a URL.

Ciao!

08/20/07 15:15:52 changed by Ozh

  • keywords changed from index opendir security to index opendir security has-patch.
  • type changed from enhancement to defect.
  • component changed from Security to Administration.
  • severity changed from trivial to normal.
  • summary changed from Blank index.php in wp-content subdirs to Blank index.php in wp-content subdirs (proposal + bug patch).

As of now there is a bug (feature?) making the Dashboard default page display the content of any 'index.php' that might exist in /wp-content/plugins/ I think this is a bug because index.php might not be a plugin

Here is a proposal for a fix of this behavior (sorry, I have nothing like svn or patch on the machine I'm on right now).

1) A new function (in wp-admin/includes/plugins.php would be appropriate) 

/**
 * Checks if a file is (seems to be) a plugin - Ozh
 * @param	string	$plugin_file	full path to a file
 * @return 	boolean
 */
function is_pluginfile($plugin_file) {
	if ( !is_readable( $plugin_file ) or substr($plugin_file, -4) != '.php' )
		return false;
		
	$plugin_data = get_plugin_data( $plugin_file );

	if ( empty ( $plugin_data['Name'] ) )
		return false;

	return true;
}

2) Changes to /wp-admin/menu-header.php

Replace every file_exists with is_pluginfile

3) If this patch is accepted, function get_plugins() from /wp-admin/includes/plugins.php could use is_pluginfile() as well with an improved test on line 73: 

line 73 -- 		if ( !is_readable( "$plugin_root/$plugin_file" ) )
line 73 ++ 		if ( !is_pluginfile( "$plugin_root/$plugin_file" ) )

08/21/07 12:36:02 changed by Ozh

  • keywords changed from index opendir security has-patch to index opendir security.
  • type changed from defect to enhancement.
  • component changed from Administration to Security.
  • summary changed from Blank index.php in wp-content subdirs (proposal + bug patch) to Blank index.php in wp-content subdirs.

Sorry for the mess, the previous reply & patch was incomplete. See #4787 for a more complete problem analysis & patch. Ticket changed to be just a blank index.php proposal, as an easy and trivial "security" enhancement

09/05/07 20:07:40 changed by foolswisdom

  • status changed from new to closed.
  • resolution set to duplicate.
  • milestone deleted.

Closing as dup of #4787.