insecure include code

  • Eli

    (@scheeeli)


    10 years, 1 month ago

    It was brought to my attention that your theme uses an insecure method to include CSS from other plugin files. I have seen my exploits involving malicious PHP code in CSS files, this is only a problem if those files are referenced by an include statement because the include function executes PHP code.

    Example from line 1999-2000 of css.php:

    if (function_exists('wp_pagenavi')) {
include (WP_PLUGIN_DIR.'/wp-pagenavi/pagenavi-css.css');

    This statement could also cause a PHP error if the folder for the wp-pagenavi plugin was renamed or if another plugin uses a function called “wp_pagenavi”. To fix both the bug and the security vulnerability here you should change this code (and all the other lines like it) to something like this:

    if (is_file(WP_PLUGIN_DIR.'/wp-pagenavi/pagenavi-css.css') && function_exists('wp_pagenavi')) {
echo file_get_contents(WP_PLUGIN_DIR.'/wp-pagenavi/pagenavi-css.css');

    Please let me know if intend to fix this issue or if you need any help with with any of this.

    Aloha, Eli

Viewing 3 replies - 1 through 3 (of 3 total)
  • Christi Nickerson

    (@christini)

    10 years, 1 month ago

    Hi Eli,

    This is a public forum, security vulnerabilities should be reported privately so issues can be addressed before being released publicly.

    Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    10 years, 1 month ago

    That’s not so much as a vulnerability more of a bad practice/idea. CSS should be enqueued, using include isn’t a good idea for the reasons Eli mentioned.

    Christi Nickerson

    (@christini)

    10 years, 1 month ago

    Good to know Jan. Thanks for the clarification. Glad this wasn’t truly an exploit/security vulnerability being posted in a public forum 🙂

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘insecure include code’ is closed to new replies.