Freitag, 3. März 2006

How to prevent direct execution of intypo.php

Darius 14.00 Uhr Filed under: Intypo

Neosecurity has reported some (low risk) security issues on WordPress. One concern is about the fact that several included files do not prevent direct access on them. As these files are missing several functions if called directly, they stop with an error message, which may contain the local file path on the server. This is no security problem itself, but the infomation might be useful for other attacks.

To prevent files that should be included by other WordPress files, from being accessed directly, the following code can be added at the beginning of the script file:
if (eregi('filename_of_this_script.php‹, $_SERVER[‹PHP_SELF‹])) die(‹You are not allowed to access this file directly.‹);
(Don’t forget to replace filename_of_this_script by the actual filename of the file you added this line to.)

According to a posting on wordpress.org, this won’t work if PHP is running via CGI on your server. So I have included this line in a new version 0.6.4 of Intypo, but not activated it. If you want to enable it, edit intypo.php and remove the # at the beginning of line 15 of the code. If this causes trouble on your server, just edit intypo.php once more and add the # again to disable execution of line 15.

See also

Keine Kommentare »

No comments yet.

RSS feed for comments on this post. TrackBack URL

Leave a comment