WordPress.org

Support

Support » Plugins and Hacks » [Resolved] [Plugin: My FTP] security patch – restrict navigation to wordpress folder

[Resolved] [Plugin: My FTP] security patch – restrict navigation to wordpress folder

  • MyFTP is a high security risk because it allow navigation through the whole webserver. Here is a security patch to restrict navigation to the wordpress folder:

    @@ -154,6 +154,13 @@
    
       $pDir = pathinfo($dir);
       $parentDir = $pDir["dirname"];
    +  /* nexus5 security patch */
    +  function startsWith($haystack, $needle)
    +  {
    +    return strpos($haystack, $needle) === 0;
    +  }
    +  if (!startsWith($parentDir, get_home_path())) $parentDir = get_home_path();
    +  /* nexus5 security patch */ 
    
     ?>
       <div id="subForm">

    http://wordpress.org/extend/plugins/myftp/

Viewing 2 replies - 1 through 2 (of 2 total)
  • Ken Dirschl
    Participant

    @badfun

    thanks for this nexus5. This is a great quick fix.

    Ken Dirschl
    Participant

    @badfun

    another hack is to remove the ‘up one level’ link, since there is already a ‘back one level’ link. Not elegant, but another fix.

    line 185

    <li><a href='" . $_SERVER["PHP_SELF"] . "?page=MyFtp&dir=$parentDir'>Up One Level</a></li>&nbsp;&nbsp;&nbsp;

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘[Resolved] [Plugin: My FTP] security patch – restrict navigation to wordpress folder’ is closed to new replies.