WordPress.org

Ready to get started?Download WordPress

Forums

[closed] Developers Need to Plug Up the Folders (16 posts)

  1. pattyg
    Member
    Posted 6 years ago #

    I don't understant why WordPress is not scripted with built in blank or silence is golden index.php files in all the subfolders of wp-admin, wp-includes, wp-content and wp-plugins.

    In checking not only my own blogs, but blogs of my colleagues who are not aware of this issue and every single plugin folder, css file and javascript is left wide out in the open in the browser without the silence is golden index.php file.

    I just spent the last 2 days plugging up these holes.

    This should be a "given". I also use zencart and php link directory and both of those php scripts automatically include blank index.html or index.php files to secure the subfolders of the script.

    I would have thought that with the countless number of people who use WordPress, that the development team would have taken this into account as many people would not know or think to look for this.

  2. Samuel Wood (Otto)
    Tech Ninja
    Posted 6 years ago #

    What would be the point of this? These are not security holes.

    And honestly, a better way would be to add Options -Indexes to your .htaccess file or to your server's httpd.conf file.

  3. pattyg
    Member
    Posted 6 years ago #

    You're kidding, right?

    You mean to say that you honestly don't see the point?

    The point is that exposing all of the javascripts, php files, etc. leaves numerous entry points for not only site theft but also hacking, especially when you have plugin folders clearly exposed.

    If many other php scripts such as zencart, phplink directory and oscommerce can see this needs to be done, there's no reason why WordPress shouldn't be doing the same.

  4. Samuel Wood (Otto)
    Tech Ninja
    Posted 6 years ago #

    The point is that exposing all of the javascripts, php files, etc. leaves numerous entry points for not only site theft but also hacking, especially when you have plugin folders clearly exposed.

    No it doesn't. This is simply false. All it does is to expose what plugins and such are there, not the contents of those plugins. Furthermore, most plugins you can identify as being on a site without even looking in those directories.

    And you cannot hack a site through javascripts at all, that's just silly.

    All realistic hacking of sites is done on an automated basis. Hackers don't look at your site to see what plugins you have and then find an exploit for one of them. They build a small bit of code that hacks sites which are vulnerable, and then spam it out using botnets to hundreds of thousands of sites, whether those sites are vulnerable or not.

    Hey, I'm not saying that blocking viewing of these files is a bad idea, because it's not. But thinking that it is some sort of security measure is simply incorrect and misinformed. It's as silly as the notion that turning off "SSID Broadcast" is a security measure for your WiFi home router. Hiding things like this doesn't add to security.

  5. whooami
    Member
    Posted 6 years ago #

    I would be more concerned about this honestly.

    http://ottodestruct.com/blog/wp-includes/template-loader.php

    are you on shared hosting? If so, I have 1/2 of your authentication info and didnt even try.

    That ^^ is just lazy coding, in my opinion.
    --

    And while I can concede that the majority of hack attempts are automated; I can also argue that there are pointed and very specific attempts made on some sites. Consequently, allowing someone to successfully snoop (easily) isnt wise.

    I know of someone that posted a "hack me" post to his blog -- and guess what, not long after he was hacked.

  6. Len
    Member
    Posted 6 years ago #

    I've noticed an increase in strange traffic to my site recently. I have things locked down but they seem to be scanning for specific plugins and trying to call certain files behind wp-admin and wp-includes. I've been preoccupied with watching my logs lately. ;)

  7. Samuel Wood (Otto)
    Tech Ninja
    Posted 6 years ago #

    whooami: Bah. I scoff at you. ;)

    Knowing my username (which you kinda knew already, to be honest) doesn't get you my password. Or anything else particularly useful, for that matter. And if you must know, that blog is on a GoDaddy shared server. Go nuts.

    But if you're really concerned, bring it up on trac. That's a relatively simple fix to make, no reason it couldn't go into 2.5.1.

    However, as somebody who is quite capable of exploiting holes in websites, I really don't see that not being able to see the directories is any serious impediment to cracking into a system.

  8. pattyg
    Member
    Posted 6 years ago #

    Apparently the developers over at zencart think it's serious enough of an issue to address it, having confirmed it with them this afternoon.

    I'm sure they didn't go through all the trouble to include silence is golden files in all their directories for lack of anything else to do.

    [quote]I have things locked down but they seem to be scanning for specific plugins and trying to call certain files behind wp-admin and wp-includes.

    I can also argue that there are pointed and very specific attempts made on some sites. Consequently, allowing someone to successfully snoop (easily) isnt wise.[/quote]

    Exactly.

  9. whooami
    Member
    Posted 6 years ago #

    otto :) I didnt say that I had your password. I said I had 1/2 -- the other 1/2, and path info is not something that ought to be public. ever.

    As for trac, it was brought up eons ago by someone else (its been an issue since 1.2), and the devs ignored it. My site doesnt provide any similar info, so I'm not personally concerned.

    I would be more concerned about this honestly.

    ^^ If I were someone else, and not me. :)

  10. Samuel Wood (Otto)
    Tech Ninja
    Posted 6 years ago #

    @pattyg: "They did it, so there must be some reason" doesn't really fly with me. They might be misinformed, or ignorant of the facts, or just plain idiots. I don't generally trust other people's words or actions, I prefer to understand the reasoning behind them instead. It's more reliable in the long run. :-D

    If you want to bring it up on trac, fine. I won't stop you. I am just providing the counter argument and telling you that I don't think it's necessary or useful. So don't get all upset just because I disagree with you.

    And setting Options -Indexes is still a much better solution in any case. Adding tons of essentially useless files when one line in .htaccess does the trick seems rather silly to me. Frankly, if it's a legitimate concern, then it's a concern that should be handled at the webserver level, not at the application level.

    @whooami: Bah. I continue scoffing in your general direction. ;)
    Also, display_errors = Off in the php.ini does the trick.

  11. pattyg
    Member
    Posted 6 years ago #

    "They might be misinformed, or ignorant of the facts, or just plain idiots."

    So now you're calling the developers of Zencart, one of the web's most popular and widely used open source shopping carts, misinformed or idiots?

    Coming here really was a waste of my time, wasn't it?

    I suppose the developers of PHP Link Directory, JROX Jam, and Amember are also misinformed or idiots as well?

    WordPress wants feedback and I gave it... as a business professional.

    Go ahead and continue your scoffing as you've truly shown you are anything but a professional.

  12. whooami
    Member
    Posted 6 years ago #

    if you are not so concerned otto, then fix it so it can be seen again :)

    It's cool, we have different opinions on a few things regarding security I like mod_sec, you dont, for instance.

    I gotta say though, since moving to my own server, I am seeing tons less exploit attempts. Perhaps its the 50000+ IPs I nullroute. Or maybe these scripts take a particular host IP, and scan for domains on that IP..

    Either way, I am pleased at the outcome of my moving off a shared host IP space.

  13. whooami
    Member
    Posted 6 years ago #

    patty, otto is a moderator here -- not a WP developer. Aside from being to do stuff here on these forums, he is really no different than you or I as far as WP goes. He also has as much right to his opinion as you and I, regardless of his situation. Besides which, he scoffed at me -- I dont take offense, I know otto, in an online sort of way, he can scoff in my direction anytime. :)

    --

    I call people idiots all of the time, who cares. Opinions are just that.

  14. Samuel Wood (Otto)
    Tech Ninja
    Posted 6 years ago #

    So now you're calling the developers of Zencart, one of the web's most popular and widely used open source shopping carts, misinformed or idiots?

    Are you incapable of reading and understanding the English language? Does the word "might" not mean anything to you? Do you not understand that sentences are supposed to be taken in context?

    If you're going to sit here sniping at anybody who disagrees with you, then yes, by all means, leave. You are not welcome here with that sort of behavior.

  15. pattyg
    Member
    Posted 6 years ago #

    I don't know what bug is up your $ss, but the forum title clearly states that it is for "Requests and Feedback."

    My concern regarding this issue is a concern across many of my business colleagues and developers of numerous other scripts.

    Whether you disagree with that concern or not, you are certainly entitled to that opinion, but the forum is for FEEDBACK for the WP developers.

    I didn't come here looking for debate, to be "scoffed at", to banter with mods, or to be bullied by a mod who clearly doesn't understand what professional business behavior is.

  16. Samuel Wood (Otto)
    Tech Ninja
    Posted 6 years ago #

    And yet you persist in sniping at me repeatedly, as if you're unable to have a reasonable conversation. I was just providing my viewpoint on the matter. If you don't care about my viewpoint, then stop responding to me.

    If you want to talk about unprofessional behavior, you're the one continually acting in seeming disbelief at me when all I'm doing is saying a very simple "I disagree and here's why". I've said nothing in anything other than a light-hearted tone, I've use liberal smilies to convey that, and yet you're continually offended just because I don't agree with your point of view.

    Stop it. If you are not looking for debate, then stop debating.

    This thread is now closed, because you cannot have a reasonable conversation and it can go nowhere but downhill. If you act like this again, I will have you blocked from this forum.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags