ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S6342/php/rule.adoc
Egon Okerman d1417e82f8
Modify CWE and OWASP Top 10 links to follow standard link format (APPSEC-1134) (#3529) 
* Fix all CWE references

* Fix all OWASP references

* Fix missing CWE prefixes
2024-01-15 17:15:56 +01:00

49 lines
2.4 KiB
Plaintext
Raw Permalink Blame History

WordPress makes it possible to install and update themes and plugins in the Administration Screens.
This is a convenient feature but it's also risky.
If an attacker manages to get access to the WordPress administrative area, this person can
then take advantage of the theme/plugin management feature to upload PHP code on the server
and to execute that code.
Defining the `DISALLOW_FILE_MODS` option to `true` in `wp-config.php` disables this risky feature.
The default value is `false`.
== Ask Yourself Whether
* Theme or plugin management features are available to users who cannot be fully trusted.
* There's a chance that the accounts of authorized users get compromised.
There is a risk if you answered yes to any of those questions.
== Recommended Secure Coding Practices
* Manage themes and plugins without WordPress Administration Screens. Using wp-cli is a possible option.
* Make sure that `DISALLOW_FILE_MODS` is defined in `wp-config.php`.
* Make sure that `DISALLOW_FILE_MODS` is set to `true`.
== Sensitive Code Example
----
define( 'DISALLOW_FILE_MODS', false ); // Sensitive
----
== Compliant Solution
[source,php]
----
define( 'DISALLOW_FILE_MODS', true );
----
== See
* OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection]
* OWASP - https://owasp.org/Top10/A04_2021-Insecure_Design/[Top 10 2021 Category A4 - Insecure Design]
* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration]
* https://wordpress.org/support/article/editing-wp-config-php/#disable-plugin-and-theme-update-and-installation[wordpress.org] - Disable Plugin and Theme Update and Installation
* OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection]
* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration]
* OWASP - https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)[Top 10 2017 Category A7 - Cross-Site Scripting (XSS)]
* CWE - https://cwe.mitre.org/data/definitions/79[CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')]
* CWE - https://cwe.mitre.org/data/definitions/94[CWE-94 - Improper Control of Generation of Code ('Code Injection')]
* CWE - https://cwe.mitre.org/data/definitions/95[CWE-95 - Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')]
Reference in New Issue View Git Blame Copy Permalink