Opened 10 years ago
Last modified 10 years ago
#2492 new defect
Incorrect file permissions in wp-security-scan plugin
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Priority: | highest | Severity: | critical |
| Plugin: | not-listed | Keywords: | file permissions |
| Cc: |
Description
There's a bug applying file permissions in WsdSecurity.php file, when it's setting the 664 permission to files, uses quotes around the 0644 number and the number is implicitely converted in an integer (and it's not trated as octal) by PHP as you can see following:
$ stat -c "%a %n" *
664 test1.txt
664 test2.txt
$ php -a
php > chmod('test1.txt', 0644); // without single quotes
php > chmod('test2.txt', '0644'); // with single quotes
$ stat -c "%a %n" *
644 test1.txt
1204 test2.txt
So, the files in the server can't be chmod'ed by an user without admin privileges, because of this I setted the priority of ticket to highest and the severity to critical.
Change History (1)
Note: See
TracTickets for help on using
tickets.