ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S6342/php/rule.adoc
jtingsanchali 96d9ddb930
RULEAPI-755 Update CWE URLs by removing .html suffix and update with https protocol (#926) 
* Change affects only see.adoc and rule.adoc files, not comments-and-links.adoc files
2022-04-07 08:53:59 -05:00

49 lines
2.4 KiB
Plaintext
Raw Blame History

WordPress makes it possible to install and update themes and plugins in the Administration Screens.
This is a convenient feature but it's also risky.
If an attacker manages to get access to the WordPress administrative area, this person can
then take advantage of the theme/plugin management feature to upload PHP code on the server
and to execute that code.
Defining the `DISALLOW_FILE_MODS` option to `true` in `wp-config.php` disables this risky feature.
The default value is `false`.
== Ask Yourself Whether
* Theme or plugin management features are available to users who cannot be fully trusted.
* There's a chance that the accounts of authorized users get compromised.
There is a risk if you answered yes to any of those questions.
== Recommended Secure Coding Practices
* Manage themes and plugins without WordPress Administration Screens. Using wp-cli is a possible option.
* Make sure that `DISALLOW_FILE_MODS` is defined in `wp-config.php`.
* Make sure that `DISALLOW_FILE_MODS` is set to `true`.
== Sensitive Code Example
----
define( 'DISALLOW_FILE_MODS', false ); // Sensitive
----
== Compliant Solution
[source,php]
----
define( 'DISALLOW_FILE_MODS', true );
----
== See
* https://owasp.org/Top10/A03_2021-Injection/[OWASP Top 10 2021 Category A3] - Injection
* https://owasp.org/Top10/A04_2021-Insecure_Design/[OWASP Top 10 2021 Category A4] - Insecure Design
* https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[OWASP Top 10 2021 Category A5] - Security Misconfiguration
* https://wordpress.org/support/article/editing-wp-config-php/#disable-plugin-and-theme-update-and-installation[wordpress.org] - Disable Plugin and Theme Update and Installation
* https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[OWASP Top 10 2017 Category A1] - Injection
* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html[OWASP Top 10 2017 Category A6] - Security Misconfiguration
* https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)[OWASP Top 10 2017 Category A7] - Cross-Site Scripting (XSS)
* https://cwe.mitre.org/data/definitions/79[MITRE, CWE-79] - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
* https://cwe.mitre.org/data/definitions/94[MITRE, CWE-94] - Improper Control of Generation of Code ('Code Injection')
* https://cwe.mitre.org/data/definitions/95[MITRE, CWE-95] - Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
Reference in New Issue View Git Blame Copy Permalink