harden the security of the active_plugins array
|Reported by:||Denis-de-Bernardy||Owned by:||ryan|
In the past few weeks I've been assisting a couple of users whose sites got hacked. Granted, they're at fault, and they had not upgraded their sites.
It occurred to me, however, that a simple tweak to the WP source code would have gone a great length to minimize the impact of their site getting hacked. Specifically, every hacked site I've bumped into ultimately took advantage of the active_plugins array, as follows:
include_once(WP_PLUGIN_DIR . '/' . $plugin);
The $plugin is checked against for dots, and the like, but that definitely doesn't seem to be enough.
Why are we not validating that the plugin files ends with .php? It would prevent hackers from including txt, bak, jpg and whatnot types of files...
This check should be done immediately before the plugin is included.
Along the same lines, the uploads folder should be validated to make sure it doesn't look fishy before it gets used.
Fishy looking files and values should not just be rejected -- the site's admin should additionally get a hourly email until he has fixed the issues.