Jump to content


Better, More Convenient, Private Support for Your iThemes Products Is Here.


We're moving support away from the forum and in to private tickets - Log In to Get Support Here


Note: any currently open support threads in the community forum will stay open while we resolve them.

information

Suggestion: Improving The Disabling Of Php Execution



This topic has been archived. This means that you cannot reply to this topic.
1 reply to this topic

#1 Guest_Mario_*

Guest_Mario_*
  • Guests

Posted 10 August 2014 - 09:45 AM

Hi again,

another thing came to my mind regarding the PHP execution, which I think will improve the disabling of PHP execution in the uploads folder a lot:
What if an attacker is aware of the fact that PHP execution is disabled in the uploads folder? Many apache processes have by default no write permissions to write anywhere else but the uploads folder, BUT:
There is one more folder to which the apache process may write: the upgrades folder,because if updating your WordPress/Plugins with the built in FTP upgrade, wordpress will make this folder writable for all (777). So if I, as an attacker, see that I cant execute anything in the uploads folder, I change the wordpress settings to that files get uploaded to the upgrade folder and make this feature a little bit useless.

I suggest extending the disabling of PHP execution to the complete wp-content folder.

Best
Mario

#2 Chris Wiegman

Chris Wiegman

    iThemes Plugin Developer

  • Members
  • PipPip
  • 17 posts

Posted 11 August 2014 - 01:05 PM

Hi Mario,

Excellent point here. I've added it to the feature requests and will be reviewing it soon.

Cheers,
Chris Wiegman

iThemes Security Developer





Better, More Convenient, Private Support for Your iThemes Products Is Here.


We're moving support away from the forum and in to private tickets - Log In to Get Support Here


Note: any currently open support threads in the community forum will stay open while we resolve them.