I told some people about this in an earlier WordCamp i think. I’m talking about a code that seems smart, allowing a script to auto-include all .php files from a plugin or theme’s folder.
Smart code
The goal of this kind of code is to auto-include all files from /inc/ for example, and without adding any line of code like include( MY_PATH . '/class-new-fiture.php' );.
As you may know, a good developper is a lazy one. the less redondant, the less you’ll have to maintain it, the code is more clean and smart.
Well, but here the idea is bad, no really, it’s as good as it’s bad.
Here’s the code, it exists in many plugins and themes, i take this one ust because a client of me just been hacked because of it:
Code from Velvet Theme
The code is clean, commented, indented, with some function_exists(), some if and some isset(), perfect!
The author now just have to add some files in the correct folders, and Booya, nothing else to do!
The theme is using thi fonction like that:
Inclusion de scripts JS et styles CSS
All .js and .css files will be returned for a correct inclusion à la WordPress, and all the .php files will be included with include_once().
This .php files can be used for adding the filters hook to enqueue them.
The good idea
Great idea, isn’t it? Gain of time, less maintenance, good, push on prod.
But here, the author just helped the attakers to hack you website. How?
Imagine a vulnerability that allows an attacker to upload a malicioux .php file in these folders. But these folders are protected with htaccess, a simple deny from all is enought.
The hacker will be stuck, he just uploaded a file but can not reach it.
The flaw …
BUT, since the hacker uploaded the files in the /css/ or /js/ folder, the auto-include function from the theme will automatically include its malicious file. Cheers to the author (or not).
Or not.
The base idea was good, but you have take the good posture about security:
- Is my developpement can lead to an attack?
- Is my script can hurt a user’s website?
You have to think about it, you have to become your own hacker and hack you. If you can’t do this, ask for an audit from people who can, they can help you a lot. Do not take the risk to spread a product that can harm websites with a critical flaw.
The theme’s author has been warned, is you discoveer this kind of function that auto-include .php files, do not hesitate to comment here, to alert the author giving him this link, we all have to win about this.
