Make WordPress Core

Opened 5 years ago

Closed 5 years ago

#48049 closed enhancement (duplicate)

bots searching for vulnerable plugins

Reported by: loranrendel's profile loranrendel Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Security Keywords:
Focuses: Cc:

Description

I've logged hundreds of attempts to download wp-config.php from my site.

/wp-content/themes/mTheme-Unus/css/css.php?files=../../../../wp-config.php
/wp-admin/admin.php?page=miwoftp&option=com_miwoftp&action=download&item=wp-config.php&order=name&srt=yes
/wp-content/plugins/google-mp3-audio-player/direct_download.php?file=../../../wp-config.php
/wp-admin/admin-ajax.php?action=getfile&/../../wp-config.php
/wp-content/themes/acento/includes/view-pdf.php?download=1&file=/../../wp-config.php

All these bots trying to use some vulnerabilities.

I propose to use code like this inside WordPress Core to prevent such attempts:

<?php
if (strpos($_SERVER['REQUEST_URI'], 'wp-config') !== false) {
 die;
}

Attachments (2)

48049.patch (459 bytes) - added by dkarfa 5 years ago.
48049.1.patch (534 bytes) - added by dkarfa 5 years ago.

Download all attachments as: .zip

Change History (6)

#1 @SergeyBiryukov
5 years ago

  • Component changed from General to Security

@dkarfa
5 years ago

@dkarfa
5 years ago

#2 @swissspidy
5 years ago

Sounds like a duplicate of #36177 which target way more files than just wp-config.php.

#3 @loranrendel
5 years ago

Replying to swissspidy:

Sounds like a duplicate of #36177 which target way more files than just wp-config.php.

Not exactly.
My proposal will also protect from accessing files like wp-config.php~, wp-config.bak and some hooked functions.

Another requested url:

/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
Last edited 5 years ago by loranrendel (previous) (diff)

#4 @dd32
5 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed

Although the direction suggested in this ticket differs to that of #36177, I'm going to close this as a duplicate of that regardless.

It'll be best to keep all discussion on the general idea of "blocking malicious requests" on the same ticket, even if any implemented change doesn't necessarily follow how the ticket originally intended on it being implemented.

I'd encourage you to bring up your idea on #36177 as an alternate method.

Note: See TracTickets for help on using tickets.