WordPress.org

Make WordPress Core

Opened 7 months ago

Closed 2 months ago

#48049 closed enhancement (duplicate)

bots searching for vulnerable plugins

Reported by: loranrendel Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Security Keywords:
Focuses: Cc:

Description

I've logged hundreds of attempts to download wp-config.php from my site.

/wp-content/themes/mTheme-Unus/css/css.php?files=../../../../wp-config.php
/wp-admin/admin.php?page=miwoftp&option=com_miwoftp&action=download&item=wp-config.php&order=name&srt=yes
/wp-content/plugins/google-mp3-audio-player/direct_download.php?file=../../../wp-config.php
/wp-admin/admin-ajax.php?action=getfile&/../../wp-config.php
/wp-content/themes/acento/includes/view-pdf.php?download=1&file=/../../wp-config.php

All these bots trying to use some vulnerabilities.

I propose to use code like this inside WordPress Core to prevent such attempts:

<?php
if (strpos($_SERVER['REQUEST_URI'], 'wp-config') !== false) {
 die;
}

Attachments (2)

48049.patch (459 bytes) - added by dkarfa 7 months ago.
48049.1.patch (534 bytes) - added by dkarfa 7 months ago.

Download all attachments as: .zip

Change History (6)

#1 @SergeyBiryukov
7 months ago

  • Component changed from General to Security

@dkarfa
7 months ago

@dkarfa
7 months ago

#2 @swissspidy
7 months ago

Sounds like a duplicate of #36177 which target way more files than just wp-config.php.

#3 @loranrendel
7 months ago

Replying to swissspidy:

Sounds like a duplicate of #36177 which target way more files than just wp-config.php.

Not exactly.
My proposal will also protect from accessing files like wp-config.php~, wp-config.bak and some hooked functions.

Another requested url:

/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
Last edited 7 months ago by loranrendel (previous) (diff)

#4 @dd32
2 months ago

  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed

Although the direction suggested in this ticket differs to that of #36177, I'm going to close this as a duplicate of that regardless.

It'll be best to keep all discussion on the general idea of "blocking malicious requests" on the same ticket, even if any implemented change doesn't necessarily follow how the ticket originally intended on it being implemented.

I'd encourage you to bring up your idea on #36177 as an alternate method.

Note: See TracTickets for help on using tickets.