#4759 closed enhancement (duplicate)
Blank index.php in wp-content subdirs
Reported by: | ozh | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | |
Component: | Security | Keywords: | index opendir security |
Focuses: | Cc: |
Description
Ola
Directory /wp-content has had its "Silence is golden" blank index page for years now, why not add this file by default to /plugins & /themes ?
It would greatly reduce script kiddies ability to find exploitable plugins (example)
Change History (6)
#2
@
17 years ago
Would index.html be better than index.php? There would be no risk of any code executing *ever* by accident.
Either way, there should be a comment explaining why the file is blank and that it should be kept that way.
Alternatively, rewrite rules might be better, since you could redirect the user to a legit page (like the root) in case they were walking up a URL.
Ciao!
#3
@
17 years ago
- Component changed from Security to Administration
- Keywords has-patch added
- Severity changed from trivial to normal
- Summary changed from Blank index.php in wp-content subdirs to Blank index.php in wp-content subdirs (proposal + bug patch)
- Type changed from enhancement to defect
As of now there is a bug (feature?) making the Dashboard default page display the content of any 'index.php' that might exist in /wp-content/plugins/
I think this is a bug because index.php might not be a plugin
Here is a proposal for a fix of this behavior (sorry, I have nothing like svn or patch on the machine I'm on right now).
1) A new function (in wp-admin/includes/plugins.php would be appropriate)
/** * Checks if a file is (seems to be) a plugin - Ozh * @param string $plugin_file full path to a file * @return boolean */ function is_pluginfile($plugin_file) { if ( !is_readable( $plugin_file ) or substr($plugin_file, -4) != '.php' ) return false; $plugin_data = get_plugin_data( $plugin_file ); if ( empty ( $plugin_data['Name'] ) ) return false; return true; }
2) Changes to /wp-admin/menu-header.php
Replace every file_exists with is_pluginfile
3) If this patch is accepted, function get_plugins() from /wp-admin/includes/plugins.php could use is_pluginfile() as well with an improved test on line 73:
line 73 -- if ( !is_readable( "$plugin_root/$plugin_file" ) ) line 73 ++ if ( !is_pluginfile( "$plugin_root/$plugin_file" ) )
#4
@
17 years ago
- Component changed from Administration to Security
- Keywords has-patch removed
- Summary changed from Blank index.php in wp-content subdirs (proposal + bug patch) to Blank index.php in wp-content subdirs
- Type changed from defect to enhancement
Sorry for the mess, the previous reply & patch was incomplete. See #4787 for a more complete problem analysis & patch. Ticket changed to be just a blank index.php proposal, as an easy and trivial "security" enhancement
+1 I concur.
Not sure whether it's worth making "diffs" in this circumstance, really.