[Plugin: My FTP] security patch – restrict navigation to wordpress folder

  • Resolved nexus5

    (@nexus5)


    14 years, 11 months ago

    MyFTP is a high security risk because it allow navigation through the whole webserver. Here is a security patch to restrict navigation to the wordpress folder:

    @@ -154,6 +154,13 @@

   $pDir = pathinfo($dir);
   $parentDir = $pDir["dirname"];
+  /* nexus5 security patch */
+  function startsWith($haystack, $needle)
+  {
+    return strpos($haystack, $needle) === 0;
+  }
+  if (!startsWith($parentDir, get_home_path())) $parentDir = get_home_path();
+  /* nexus5 security patch */ 

 ?>
   <div id="subForm">

    http://ww.wp.xz.cn/extend/plugins/myftp/

Viewing 2 replies - 1 through 2 (of 2 total)
  • Ken Dirschl

    (@badfun)

    14 years, 9 months ago

    thanks for this nexus5. This is a great quick fix.

    Ken Dirschl

    (@badfun)

    14 years, 9 months ago

    another hack is to remove the ‘up one level’ link, since there is already a ‘back one level’ link. Not elegant, but another fix.

    line 185

    <li><a href='" . $_SERVER["PHP_SELF"] . "?page=MyFtp&dir=$parentDir'>Up One Level</a></li>&nbsp;&nbsp;&nbsp;

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘[Plugin: My FTP] security patch – restrict navigation to wordpress folder’ is closed to new replies.