#2964 closed defect (bug) (invalid)
Manage > Files may give access to password protected folders
Reported by: | PozHonks | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 2.0.3 |
Component: | Security | Keywords: | |
Focuses: | Cc: |
Description
In Manage > Files, one can edit any files on the server but wp-config.php. It even accesses to files in folders protected by a password. E.g.: we can access to "/secret/.htaccess", WP shows it, in this file, we see the path to the .htpasswd file, access to it, change the password, or worse, delete the path to the password so the folder is free for reading to anyone. Plus, it is also possible to edit the .htaccess to display a list of files even if an index file is present. So all files are accessible.
If a hacker enters into wordpress by guessing the admin password, he may get access to almost everything. Is it a security flaw?
My server is hosted on Linux with Apache, but, changing chmod to 644 (for a file even 444) or 744 (for a folder) doesn't prevent the server from modifying or accessing to files, because the PHP server rights are not managed that way as in many other webhosts, unfortunately.
Change History (5)
#2
@
18 years ago
Make that "you can only edit files within the WordPress root directory" That is, files in and below the directory that contains wp-config.php
#3
@
18 years ago
OK. However, wouldn't be a good idea to activate or deactivate this function in wp-config.php? I just don't want to give hackers tools to easy deface a website (just by changing the content of index.php). I think it would be much safier that way.
#4
@
18 years ago
Your concern is valid enough: grabbing your plaintext password essentially gives the attacker access to everything WordPress can do. However, there are plenty of other ways an admin can gain full system access. They can upload PHP, for example.
If you don't want WP to have access to certain files, change the file system to prevent it.
You can only edit files with the WordPress root directory (except wp-config.php). If you have WP in your root directory, you'll need to move it to a subdirectory in order to disallow editing of non-WP files.