WordPress.org

Make WordPress Core

Opened 2 months ago

Last modified 2 months ago

#48049 new enhancement

bots searching for vulnerable plugins

Reported by: loranrendel Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Security Keywords:
Focuses: Cc:
PR Number:

Description

I've logged hundreds of attempts to download wp-config.php from my site.

/wp-content/themes/mTheme-Unus/css/css.php?files=../../../../wp-config.php
/wp-admin/admin.php?page=miwoftp&option=com_miwoftp&action=download&item=wp-config.php&order=name&srt=yes
/wp-content/plugins/google-mp3-audio-player/direct_download.php?file=../../../wp-config.php
/wp-admin/admin-ajax.php?action=getfile&/../../wp-config.php
/wp-content/themes/acento/includes/view-pdf.php?download=1&file=/../../wp-config.php

All these bots trying to use some vulnerabilities.

I propose to use code like this inside WordPress Core to prevent such attempts:

<?php
if (strpos($_SERVER['REQUEST_URI'], 'wp-config') !== false) {
 die;
}

Attachments (2)

48049.patch (459 bytes) - added by dkarfa 2 months ago.
48049.1.patch (534 bytes) - added by dkarfa 2 months ago.

Download all attachments as: .zip

Change History (5)

#1 @SergeyBiryukov
2 months ago

  • Component changed from General to Security

@dkarfa
2 months ago

@dkarfa
2 months ago

#2 @swissspidy
2 months ago

Sounds like a duplicate of #36177 which target way more files than just wp-config.php.

#3 @loranrendel
2 months ago

Replying to swissspidy:

Sounds like a duplicate of #36177 which target way more files than just wp-config.php.

Not exactly.
My proposal will also protect from accessing files like wp-config.php~, wp-config.bak and some hooked functions.

Another requested url:

/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
Last edited 2 months ago by loranrendel (previous) (diff)
Note: See TracTickets for help on using tickets.