Plugin Contributor
michal
(@michal_cksource)
Does google index files from others plugins ?
We will check this , thx for report this.
No, I haven’t seen any other plugin indexed by Google. I just checked and 64 400 results appeared on query “/wp-content/plugins/ckeditor-for-wordpress/filemanager”
How could anyone upload any file just by going to domain.com/wp-content/plugins/ckeditor-for-wordpress/filemanager though?
Google search for anything that’s linked to, though, so the plugin shouldn’t be linking from the FRONT end of the site to the BACK end where the plugin is located.
Well, check this out:
wp-content/plugins/ckeditor-for-wordpress/filemanager/browser/default/browser.html
Actually, I haven’t linked for ckeditor anywhere (Why should I?) And I doubt, that any of the 64 400 site admins that can be found by this query in Google have linked to it.
Plugin Contributor
michal
(@michal_cksource)
I think that this depends on WordPress, domain and server configuration. AS @ipstenu wrote google index everything it can, but WordPress/site ocnfiguration should block some links. You can’t upload file just going to
/wp-content/plugins/ckeditor-for-wordpress/filemanager
link.
I checked on wp-content/plugins/ckeditor-for-wordpress/filemanager/browser/default/browser.html and I can’t see that it uploaded anything, while logged out.
WordPress/site ocnfiguration should block some links.
No… WordPress can only block what it KNOWS about. If you add a plugin, the PLUGIN should block. Personally, I think that plugin ought to be PHP wrapped and have a wp_die() call in it to make sure you can’t hit it up outside of wp-admin.
Yes, YOU should block file browsing, though as this doesn’t work on all servers, WP can’t put it in.
Put Options -Indexes at the top of .htaccess and that will block people from browsing around. But. It won’t stop someone who knows where a file is directly.
(ETA: I reported this to pluginsATwordpress.org anyway, as a possible security hole b/c you can pull up that html page and interact)
I have temporarily suspended the plugin and contacted the authors.
Plugin Contributor
michal
(@michal_cksource)
I think that suspend our plugin because of security issue from that reason is unfair. Yes, it’s bad that you can find mentioned query by google but I will give you few example what can you find in google and in my opinion this should be secured by WordPress (it should ban index it’s directories).
Try search in google :
“wp-includes/theme-compat” , “wp-content/plugins/akismet/” , “wp-content/plugins/custom-field-template”.
There is plenty of others plugins, themes etc examples.
Of course I don’t want make harm others developers.
File browser in our plugin is disabled by default. It also check users perrmissions to use it and upload. This is the reason why we think that your reaction is to big. Of course if someone adds permissions to upload for everyone on his site it’s his mistake/problem… but this situation occurs with all filebrowsers/editors and so on.
For now please unlock our plugin.
The indexing doesn’t bother me. That’s a site-specific issue. It’s the filemanager I was concerned about.
After analyzing the code, I’ve found that the actual upload functionality is performing a check on a non-default option to enable the filemanager. It’s not exactly the clearest code in the world, but it would stop the uploader from working with it turned off.
The plugin has been re-enabled.
