A note about security

  • Hi, thanks for writing this plugin and sharing it with the community. It serves its purpose pretty well. I am a little concerned about security though. You can basically use this plugin to do directory traversal (at least on the machine I am running it on, which is a standard lampp installtion). If anyone with malicious intentions gets to know about the usage of this plugin in an installation it might be tempting to fool around with it. By a quick glance at the code, I have not seen use of any nonce function in the handling of the POST data. Do you have some other means of checking where the requests are coming from?
    Please do not take this note offensively, I am just concerned about security and wanted to point out a potential risk.

    https://www.ads-software.com/plugins/add-from-server/

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author Dion Hulse

    (@dd32)

    Meta Developer

    Since the plugin is only active for administrative users, who are trusted to install plugins and themes, I don’t see directory traversal as a bug, rather an expected feature. Some will disagree with that suggestion, however I stand by it.
    Additionally, the plugin only allows for importing of the WordPress whitelisted files, which prevents the inclusion of files such as .php, or those lacking file extensions.
    Others well also call the display of the full file path a vulnerability as well, which but overly concerned about.

    That being said, csrf protection should be in there, however may have been lost at some point, I’ll follow that up this week and check the status of that.

    The plugin is pending a major rewrite, so I’ve not really looked at the code nearly 3 years.

    Thread Starter BdN3504

    (@bdn3504)

    Thanks for clearing that up.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘A note about security’ is closed to new replies.