Make WordPress Core

Opened 18 years ago

Closed 18 years ago

Last modified 11 months ago

#2964 closed defect (bug) (invalid)

Manage > Files may give access to password protected folders

Reported by: pozhonks's profile PozHonks Owned by:
Milestone: Priority: normal
Severity: normal Version: 2.0.3
Component: Security Keywords:
Focuses: Cc:

Description

In Manage > Files, one can edit any files on the server but wp-config.php. It even accesses to files in folders protected by a password. E.g.: we can access to "/secret/.htaccess", WP shows it, in this file, we see the path to the .htpasswd file, access to it, change the password, or worse, delete the path to the password so the folder is free for reading to anyone. Plus, it is also possible to edit the .htaccess to display a list of files even if an index file is present. So all files are accessible.
If a hacker enters into wordpress by guessing the admin password, he may get access to almost everything. Is it a security flaw?
My server is hosted on Linux with Apache, but, changing chmod to 644 (for a file even 444) or 744 (for a folder) doesn't prevent the server from modifying or accessing to files, because the PHP server rights are not managed that way as in many other webhosts, unfortunately.

Change History (5)

#1 @markjaquith
18 years ago

  • Resolution set to invalid
  • Status changed from new to closed

You can only edit files with the WordPress root directory (except wp-config.php). If you have WP in your root directory, you'll need to move it to a subdirectory in order to disallow editing of non-WP files.

#2 @markjaquith
18 years ago

Make that "you can only edit files within the WordPress root directory" That is, files in and below the directory that contains wp-config.php

#3 @PozHonks
18 years ago

OK. However, wouldn't be a good idea to activate or deactivate this function in wp-config.php? I just don't want to give hackers tools to easy deface a website (just by changing the content of index.php). I think it would be much safier that way.

#4 @skeltoac
18 years ago

Your concern is valid enough: grabbing your plaintext password essentially gives the attacker access to everything WordPress can do. However, there are plenty of other ways an admin can gain full system access. They can upload PHP, for example.

If you don't want WP to have access to certain files, change the file system to prevent it.

#5 @(none)
18 years ago

  • Milestone 2.0.4 deleted

Milestone 2.0.4 deleted

Note: See TracTickets for help on using tickets.