Leaving the Back Door Open: File Permissions in WordPress

June 9th, 2008 | by blank89 |

Plugins directory
Plugins directory
Some people might say that the difference between a seasoned hacker and a script kiddie is that the script kiddie will take a vulnerability from someone else, and a hacker will find the vulnerability himself. There is another difference that is crucial to a seasoned hacker. A seasoned hacker will only need to try once to break a system. That doesn’t mean that he will find a vulnerability right away, but that when he does try it on your system he is sure it will work the first time.

One way they can be sure their exploit will work is if they can figure out what software their victim is running. This happens when the victim is giving away too much information. In my article about hardening Wordpress I showed you some plugins that will try to hide your WP version. It usually does this by removing references to the version in the output html. However, there is another way to figure out what software is running on the server. If your file permissions are set wrong, an attacker could potentially figure out what themes and plugins you’re running. If the attacker can do that, he doesn’t need to find a vulnerability in wordpress, he can just find a vulnerability in one of those plugins or themes.

Themes directory
Themes directory
Even worse, if you left access to the plugins and themes directory open the attacker can guess which versions of the plugins you’re running by the size of the file. All it takes is a quick google search for each of those plugins (+ “exploit”) and they will know whether there is already an exploit out there. No exploit? No problem. They know what version you’re running so they can start looking for one.

Remember that themes can have vulnerabilities as well. Simply checking the themes directory will allow for the same kind of information gathering as the plugins directory.

As a proof of concept, go to a poorly maintained Wordpress blog, and after the “www.example.com” type “/wp-content/themes” or “/wp-content/plugins”. If the blog is vulnerable, you will see a directory listing. If it is not, you will see a 404 error. To fix the problem, the permissions on these directories must be set so that the world group does not have read permissions.

Your Ad Here
Share this article:
  • Digg
  • Reddit
  • Slashdot
  • del.icio.us
  • Technorati
  • StumbleUpon
  • Facebook
  • Google
  • BlinkList
  • Blogosphere News

Similar Posts

  1. 2 Responses to “Leaving the Back Door Open: File Permissions in WordPress”

  2. By jesse on Jun 14, 2008 | Reply

    lol, nice directory there eh?

    alternatively.. upload an index.html

  3. By blank89 on Jun 17, 2008 | Reply

    If you upload an index.html/.php and the permissions are set incorrectly for the whole directory structure the attacker can still probe for vulnerable plugins by trying to go to the specific plugin directory and looking for a response.

You must be logged in to post a comment.