Ticket #4759 (closed enhancement: duplicate)
Blank index.php in wp-content subdirs
| Reported by: |
|
Owned by: |
|
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | Security | Version: | |
| Severity: | normal | Keywords: | index opendir security |
| Cc: |
Description
Ola
Directory /wp-content has had its "Silence is golden" blank index page for years now, why not add this file by default to /plugins & /themes ?
It would greatly reduce script kiddies ability to find exploitable plugins ( example)
Change History
Would index.html be better than index.php? There would be no risk of any code executing *ever* by accident.
Either way, there should be a comment explaining why the file is blank and that it should be kept that way.
Alternatively, rewrite rules might be better, since you could redirect the user to a legit page (like the root) in case they were walking up a URL.
Ciao!
- Keywords has-patch added
- Type changed from enhancement to defect
- Component changed from Security to Administration
- Severity changed from trivial to normal
- Summary changed from Blank index.php in wp-content subdirs to Blank index.php in wp-content subdirs (proposal + bug patch)
As of now there is a bug (feature?) making the Dashboard default page display the content of any 'index.php' that might exist in /wp-content/plugins/ I think this is a bug because index.php might not be a plugin
Here is a proposal for a fix of this behavior (sorry, I have nothing like svn or patch on the machine I'm on right now).
1) A new function (in wp-admin/includes/plugins.php would be appropriate)
/**
* Checks if a file is (seems to be) a plugin - Ozh
* @param string $plugin_file full path to a file
* @return boolean
*/
function is_pluginfile($plugin_file) {
if ( !is_readable( $plugin_file ) or substr($plugin_file, -4) != '.php' )
return false;
$plugin_data = get_plugin_data( $plugin_file );
if ( empty ( $plugin_data['Name'] ) )
return false;
return true;
}
2) Changes to /wp-admin/menu-header.php
Replace every file_exists with is_pluginfile
3) If this patch is accepted, function get_plugins() from /wp-admin/includes/plugins.php could use is_pluginfile() as well with an improved test on line 73:
line 73 -- if ( !is_readable( "$plugin_root/$plugin_file" ) ) line 73 ++ if ( !is_pluginfile( "$plugin_root/$plugin_file" ) )
- Keywords has-patch removed
- Type changed from defect to enhancement
- Component changed from Administration to Security
- Summary changed from Blank index.php in wp-content subdirs (proposal + bug patch) to Blank index.php in wp-content subdirs
Sorry for the mess, the previous reply & patch was incomplete. See #4787 for a more complete problem analysis & patch. Ticket changed to be just a blank index.php proposal, as an easy and trivial "security" enhancement
comment:5
foolswisdom — 4 years ago
- Status changed from new to closed
- Resolution set to duplicate
- Milestone 2.3 deleted
Closing as dup of #4787.
+1 I concur.
Not sure whether it's worth making "diffs" in this circumstance, really.