We have a WP site that's just gone live, and this morning came in to a bunch of unexpected anti-virus reports on the server. Here's what happened:
- Joe Random Hacker is constantly blasting out requests to vulnerable WP plugins, trying to upload a PHP backdoor. He's trying every WP site he can find.
- Joe's requests hit our server. They are multipart-encoded POST requests aimed at various vulnerable plugins, each trying to upload a file.
- Joe's requests result in the "this is embarrassing" 404 page, because the plugins he's trying to exploit aren't installed on our server.
- However, PHP has helpfully unpacked Joe's request, and has stored his malicious upload in the PHP temp directory.
- Anti-virus sees the file in temp, deletes it, and alerts us.
Assuming I've made myself understood :) , my question is this -
Why does WordPress/PHP go to all the lengths of unpacking all the parameters and putting uploaded files in temp before it checks if the URI exists? If I ask for /wp-content/plugins/i-do-not-exist/hackme.php , surely it's more efficient to check that this is present before doing all the parameter parsing etc?
Is there any way I can stop WP/PHP from putting arbitrary files into temp if the URI does not exist?