wp-includes/js/tinymce/wp-tinymce.php access

  • Resolved yoni y

    (@yoni-y)


    8 years, 11 months ago

    I’ve came to writing a post in my blog after not doint it for a while and noticed TinyMCE is not working.

    It seems like the post page is trying to load the file wp-includes/js/tinymce/wp-tinymce.php but this file is blocked since I explicitly block any direct access to php scripts under wp-includes.

    now most online guides suggest removing the block. but why would this file be accessed in the first place ? why can’t the JS files be included like all other files with wp_enqueue_script ?
    and if there is some reason this file needs to be required from the include folder why can’t it be generated once and included as static JS file ?

    What is the reason for this minor but potential security risk ?

Viewing 3 replies - 1 through 3 (of 3 total)
  • Mike

    (@mike_vl)

    8 years, 11 months ago

    I’m sorry I don’t have an answer to your question. Maybe someone else can chime in. But why do you take the extra step to close down access to wp-includes?

    The steps below should be sufficient for most installs, and as long as you are blocking write access to the files/directory I don’t see the security issue.

    http://codex.wordpress.org/Hardening_WordPress

    If you do see this as a valid security risk then I recommend you post it, accompanied with use case where this could be exploited, as a trac at https://make.wordpress.org/core/

    Thread Starter yoni y

    (@yoni-y)

    8 years, 11 months ago

    Hi mike thank you for your reply
    I’ve opened a ticket in core -https://core.trac.wordpress.org/ticket/32482#ticket

    I think explaining the general security issues with direct access to php include files might be a bit too complex for me to explain in this forum (but I’m sure there are some explanations about this issue online).

    As with most security best practice there might not be any way to exploit this issue at the moment but its better to take preventive action and block access where it is not needed than to wait for someone to exploit the system

    Mike

    (@mike_vl)

    8 years, 11 months ago

    Great! I’ll keep an eye on your trac. I’m still not sure why having access to php located in wp-includes is a security issue, but I look forward to feedback from the core team on your trac.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘wp-includes/js/tinymce/wp-tinymce.php access’ is closed to new replies.