Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Reduce chances of PHP plugins being malicious

Tags:

security

php

plugins

wordpress

I was wondering what steps you use to keep downloaded plugins from being malicious?

For example, what does wordpress do to ensure that the plugins you download do not simply execute unlink('/')

I'm assuming it partly depends partly on downloader to install plugins to use his or her own discretion, but do plugin systems take measures to minimize the security risk of running 3rd party plugins?

Thanks! Matt Mueller

like image 678
Matt Avatar asked Jan 21 '23 19:01

Matt

2 Answers

Simple answer: you can't do this programmatically. Simply can't be done. Certainly Wordpress has a validator of some sort to determine whether the plugin is outright nasty, but there's no way to say for certain that it is safe.

I'm an intern at Mozilla this summer and I'm working on the validator that scans add-ons as they're submitted to addons.mozilla.org. I can only imagine that Wordpress has a very similar tool on their end. The idea is that the app outright rejects blatantly malicious code (eval("evil nasty code");), while the rest of it is analyzed with some simple heuristics. The algorithms in place mark down some potential red flags based on what it sees in the add-on package and submits those notes to the editors, who then review the code. It effectively ends up being a human-powered process, but the software helps to take care of a lot of the heavy lifting.

Some techniques that the Mozilla validator uses:

  • Syntax checking
  • Code and markup parsing (HTML/CSS) to find remote code vulnerabilities
  • Javascript parsing and analysis (parse the JS to an AST tree and analyze each statement, evaluating static expressions as deeply as possible)
  • Compatibility/deprecation testing

You can check out the code here:

http://github.com/mattbasta/amo-validator

Hope this helps!

like image 147
mattbasta Avatar answered Jan 30 '23 02:01

mattbasta

unlink('/') wont do any harm since it only deletes files, you would have to use rmdir or more precisely a recursive rmdir implementation. I don't think there is any way to prevent malicious code from being executed because there are many ways of being malicious. You can restrict certain functions from being called in php.ini but that will only help you to a certain point. For instance, str_repeat and unserialize are common functions but if called with the right arguments they can exaust all the memory allocated to your PHP scripts in no time. But this is only an example, a more nefarious one could act as a backdoor or email all the logins to the developer. I guess in the end you'll have to trust the developer and the community if you don't want to audit the code by yourself.

like image 30
Alix Axel Avatar answered Jan 30 '23 01:01

Alix Axel
Sign in to Comment

Related questions

Trying to collect email analytics
Redirecting in a PHP page to another PHP page
Easiest way to choose a percentage of an amount of rows from a MySQL table?
Save 20 users with one SQL query?
CData section not finished problem
Is there a solution for pdf template in PHP?
All PHP files getting hacked
Uploading PDF or .doc and security
problem in counting two fields in one query
How to transition from PHP to Python Django?
PHP, MySQL: mysql substitute for php in_array function
is_dir does not recognize folders
Incremental Backups / Versioned backups using PHP
PHP header Location works in the middle of HTML
PHPMailer echo's from successful sent email
PHP Case Insensitive Word Replacement
Paypal return URL - using GET parameters?
What is a mature PHP solution to use for user logins?
Using netbeans, xdebug, symfony and phpunit together
How to make TLS connection from PHP in web server, and safely

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!