rspec/rules/S6342/php/rule.adoc

WordPress makes it possible to install and update themes and plugins in the Administration Screens.
This is a convenient feature but it's also risky.
If an attacker manages to get access to the WordPress administrative area, this person can 
then take advantage of the theme/plugin management feature to upload PHP code on the server
and to execute that code.
Defining the `DISALLOW_FILE_MODS` option to `true` in `wp-config.php` disables this risky feature.
The default value is `false`.

== Ask Yourself Whether

* Theme or plugin management features are available to users who cannot be fully trusted.
* There's a chance that the accounts of authorized users get compromised.

There is a risk if you answered yes to any of those questions.


== Recommended Secure Coding Practices

* Manage themes and plugins without WordPress Administration Screens. Using wp-cli is a possible option. 
* Make sure that `DISALLOW_FILE_MODS` is defined in `wp-config.php`.
* Make sure that `DISALLOW_FILE_MODS` is set to `true`.

== Sensitive Code Example

----
define( 'DISALLOW_FILE_MODS', false ); // Sensitive
----


== Compliant Solution

----
define( 'DISALLOW_FILE_MODS', true );
----

== See

* https://wordpress.org/support/article/editing-wp-config-php/#disable-plugin-and-theme-update-and-installation[wordpress.org] - Disable Plugin and Theme Update and Installation
* https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[OWASP Top 10 2017 Category A1] - Injection
* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html[OWASP Top 10 2017 Category A6] - Security Misconfiguration
* https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)[OWASP Top 10 2017 Category A7] - Cross-Site Scripting (XSS)
* https://cwe.mitre.org/data/definitions/79[MITRE, CWE-79] - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
* https://cwe.mitre.org/data/definitions/94[MITRE, CWE-94] - Improper Control of Generation of Code ('Code Injection')
* https://cwe.mitre.org/data/definitions/95[MITRE, CWE-95] - Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
Create rule S6342: Allowing themes and plugins to be managed in WordPress admin area is security-sensitive (#238) * Create rule S6342 * First real description * Update rules/S6342/php/rule.adoc Co-authored-by: hendrik-buchwald-sonarsource <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com> * Address review suggestions Co-authored-by: pynicolas <pynicolas@users.noreply.github.com> Co-authored-by: Pierre-Yves Nicolas <pierre-yves.nicolas@sonarsource.com> Co-authored-by: Nils Werner <64034005+nils-werner-sonarsource@users.noreply.github.com> Co-authored-by: hendrik-buchwald-sonarsource <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com> Co-authored-by: Nils Werner <nils.werner@sonarsource.com> 2021-08-12 09:06:07 +00:00			`WordPress makes it possible to install and update themes and plugins in the Administration Screens.`
			`This is a convenient feature but it's also risky.`
			`If an attacker manages to get access to the WordPress administrative area, this person can`
			`then take advantage of the theme/plugin management feature to upload PHP code on the server`
			`and to execute that code.`
			Defining the `DISALLOW_FILE_MODS` option to `true` in `wp-config.php` disables this risky feature.
			The default value is `false`.

			`== Ask Yourself Whether`

			`* Theme or plugin management features are available to users who cannot be fully trusted.`
			`* There's a chance that the accounts of authorized users get compromised.`

			`There is a risk if you answered yes to any of those questions.`


			`== Recommended Secure Coding Practices`

			`* Manage themes and plugins without WordPress Administration Screens. Using wp-cli is a possible option.`
			* Make sure that `DISALLOW_FILE_MODS` is defined in `wp-config.php`.
			* Make sure that `DISALLOW_FILE_MODS` is set to `true`.

			`== Sensitive Code Example`

			`----`
			`define( 'DISALLOW_FILE_MODS', false ); // Sensitive`
			`----`


			`== Compliant Solution`

			`----`
			`define( 'DISALLOW_FILE_MODS', true );`
			`----`

			`== See`

			`* https://wordpress.org/support/article/editing-wp-config-php/#disable-plugin-and-theme-update-and-installation[wordpress.org] - Disable Plugin and Theme Update and Installation`
			`* https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[OWASP Top 10 2017 Category A1] - Injection`
			`* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html[OWASP Top 10 2017 Category A6] - Security Misconfiguration`
			`* https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)[OWASP Top 10 2017 Category A7] - Cross-Site Scripting (XSS)`
			`* https://cwe.mitre.org/data/definitions/79[MITRE, CWE-79] - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')`
			`* https://cwe.mitre.org/data/definitions/94[MITRE, CWE-94] - Improper Control of Generation of Code ('Code Injection')`
			`* https://cwe.mitre.org/data/definitions/95[MITRE, CWE-95] - Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')`