Wedge

CerealGuy · « on March 17th, 2014, 05:52 PM »

Just thought about the problem with the plugin-info.xml and that its accessable. Think about an automated scanner like wpscan which uses plugin lists to bruteforce which plugins you have installed. For that kind of tools it would be too easy to look what plugins you have installed (if the plugin author cares about it :lol:) and even sees the used version.
Example:
http://wedge.org/plugins/mentions/plugin-info.xml

Im not really into .htaccess, but an "deny from all" in /plugins/.htaccess could fix it.
EDIT:
Perhaps adding xml to filematch would be even a better solution :hmm:

Code: [Select]

<FilesMatch "\.(zip|gz|bz2|tar|xml)$">
	Order deny,allow
	Deny from all
</FilesMatch>

Nao · « Reply #1, on March 17th, 2014, 11:31 PM »

Hmm... I actually *have* this file in wedge.org/plugins (did you try to access a XML file? If you were able to, then there's an issue.)

And I just checked, it IS in the OriginalFiles file, but this version is missing he xml file, for some reason. I'm not sure why it's not matching wedge.org's... I'll fix that.

CerealGuy · « Reply #2, on March 18th, 2014, 09:10 PM »

It was the same on my local installation and on my webspace. Both are not the latest commit, perhaps its already changed but because it also "worked" on wedge.org i didnt looked wheter its on git too.

EDIT: Now i get an 403, thats good.

Nao · « Reply #3, on March 18th, 2014, 09:30 PM »

You should know that preventing access to XML files won't make it impossible to try and access a folder with a known name... you can always check for a non-xml file's presence, if you're aware of what the plugin folder has.

Wedge

Home

Login

Register

CerealGuy

[Security issue] /plugins/<name>/plugin-info.xml

Nao

[Security issue] Re: /plugins/<name>/plugin-info.xml

CerealGuy

[Security issue] Re: /plugins/<name>/plugin-info.xml

Nao

[Security issue] Re: /plugins/<name>/plugin-info.xml