When it comes to fixing the problems with the handling of the security of WordPress plugins we feel that fixing the moderation of the Support Forum is important since right now the moderation of that is used to cover problems up (it doesn’t seems like that is necessarily all that intentional, but it ends up having that effect anyway). One of the problems being covered up is that people in charge of the Plugin Directory really don’t seem up to the task and seem to be unable to work with others to try improve. As example of that take something from a few days ago that was posted on the Support Forum, but isn’t accessible, but we saw because of an email alert we have related to keeping track of discussions that might relate to plugin vulnerabilities.
Here is a comment from the head of the Plugin Directory, Mika Epstein, related to someone bringing up a “possible vulnerability” in Advanced Contact form 7 DB:
WordPress itself doesn’t put index.html or php files in any upload directory. The reason is that blocking indexing can (and should) be done at the server level via .htaccess or .conf files.
Please read https://stackoverflow.com/a/23582628
There are a couple of big issues with that. The first is that if you follow that link the first thing you see is this:
Yes, blocking directory index is a good idea in web apps. The index.* file is interpreted by web server instead of providing standard directory listing. Creating an empty index.* file is ony one (although the easiest and compatible with all(?) http servers) way of blocking users from viewing the contents of the directory. Another way is to configure webserver to not serve the directory index. In Apache this can be done in the .conf file with
So what they are citing is saying that “blocking directory index is a good idea in web apps” and first suggest doing it using index.html or php files, so that doesn’t back up their claim, but if anything, does the contrary.
The other problem with that is WordPress doesn’t block indexing at the server level via .htaccess or .conf files, while it does normally create a .htaccess file for other purpose. So we are not sure what the relevancy of what they are claiming is supposed to be.
Plugins frequently do actually create both index files and .htaccess restrictions for security purposes, which is something you would expect that someone that is the head of the Plugin Directory to know. It would be great if someone could reply and explain those things to them, but visitng the page that was posted on just gets you a message that “Oops! That page can’t be found.”.
If we are wrong and Mika is right there is still an issue here, as subsequent to that the plugin was updated related to this. The changelog entry reads:
We have upgraded with Security patched to securing user’s uploaded data which managed on advanced-cf7-upload directory.
If look at the changes made to the code in that version there is code added to make an index.html in the plugin’s upload directory.