Apparently, people realized that if they have their folders indexable, they could be indexed. OMG! And that you can view you plugins directory via Google. Holy crap!
First off, their google dork isn’t even right. Index of /wp-content/plugins should clearly be intitle:"Index of /wp-content/plugins" or else I’ll get your’s and this shitty post in the results.
But that’s not even that good. It only applies to people with their blog hosted in the root directory. If you have it in the blog/ directory, you don’t get hit.
So now, the query should be intitle:"Index of"+intitle:"/wp-content/plugins". This returns about 50k more results.
But what about the usefulness of this?
Let’s say there is a vulnerability in the “Share This” plugin.
We can try the directory way that’s supposedly so vulnerable. intitle:"Index of /wp-content/plugins" share-this.php 40 hits
Or a better method. We know that the plugin adds a link called “Share This” to every post. Don’t believe me? Scroll down a bit and you’ll see it. So we can search for “Share This” on pages with the word wordpress, since that’s usually in the footer, but not if it uses the word plugin, since it’s probably talking about the plugin itself or have wordpress or Share This in the title since it’s likely to also just be talking about the plugin itself. wordpress+"Share This" -plugin -intitle:"wordpress" -intitle:"Share This" 3.3 million hits.
Sure, there will be false positives, but there’s a much greater changes of having a much bigger impact. Who cares about the false positives? If it doesn’t work, it doesn’t work. Just move on. You could start it at night and have tried all the sites before even waking up, well, maybe, probably not, but you’ll have a lot more than 40.
I’m thinking the severity of the whole directory being exposed is a little dramatic. Yeah, it’s probably better if it wasn’t indexed, but it’s not killing anyone. Now, if you have a password in there, that’s a different case.
In fact, here is my plugin directory. (I have indexes off by default, mainly because netfirms doesn’t use Apache’s indexing thing)
% ls -lA wp-content/plugins total 1400 drwxr-xr-x 2 2701791 552 512 May 8 18:41 404-notifier -rw-r--r-- 1 2701791 552 4667 May 8 18:41 404-notifier.tar.gz drwxr-xr-x 3 2701791 552 512 May 7 22:18 PostToTwitter -rw-r--r-- 1 2701791 552 2134 May 7 22:16 PostToTwitter.tar.gz drwxr-xr-x 2 2701791 552 512 Apr 21 16:03 akismet drwxr-xr-x 2 2701791 552 512 May 8 18:41 comment-relish -rw-r--r-- 1 2701791 552 3536 May 8 18:35 comment-relish.tar.gz drwxr-xr-x 2 2701791 552 512 May 7 22:18 easy-auctionads -rw-r--r-- 1 2701791 552 7542 May 7 22:16 easy-auctionads.tar.gz -rw-r--r-- 1 2701791 552 54904 Apr 21 15:20 goog.tar.gz drwxr-xr-x 2 2701791 552 1024 Apr 21 16:20 google-sitemap-generator drwxr-xr-x 5 2701791 552 512 Apr 21 16:49 gregarious -rw-r--r-- 1 2701791 552 109199 Apr 21 15:49 gregarious.tar.gz -rwxr-xr-x 1 2701791 552 2025 Oct 25 2006 hello.php -rw-r--r-- 1 2701791 552 5152 Nov 16 2006 ol_feedburner.php -rw-r--r-- 1 2701791 552 1861 Jul 24 2006 sem-unfancy-quote.php drwxr-xr-x 2 2701791 552 512 May 8 18:40 share-this -rw-r--r-- 1 2701791 552 14032 May 8 18:35 share-this.tar.gz drwxr-xr-x 2 2701791 552 512 May 7 22:17 stats -rw-r--r-- 1 2701791 552 5213 May 7 22:16 stats.tar.gz drwxr-xr-x 3 2701791 552 512 May 8 18:41 subscribe-to-comments -rw-r--r-- 1 2701791 552 16017 May 8 18:36 subscribe-to-comments.tar.gz drwxr-xr-x 2 2701791 552 512 May 8 18:40 twitter-tools -rw-r--r-- 1 2701791 552 17148 May 8 18:36 twitter-tools.tar.gz drwxr-xr-x 4 2701791 552 512 Apr 21 21:47 widgets -rw-r--r-- 1 2701791 552 26579 Apr 21 20:48 widgets.tar.gz drwxr-xr-x 2 2701791 552 512 Apr 21 16:20 wp-cache -rw-r--r-- 1 2701791 552 47104 Apr 21 15:21 wp-cache.tar -rw-r--r-- 1 2701791 552 31091 Jul 26 2006 wp-db-backup.php drwxr-xr-x 4 2701791 552 512 Apr 25 12:54 wp-syntax -rw-r--r-- 1 2701791 552 309747 Apr 25 12:56 wp-syntax.tar.gz
Yes, I download the zips then convert them to tarballs, that’s why all of my widgets are available in both formats.
But it also raises another question, how many of those do I have enabled?
404Notifier? No. PostToTwitter? No. akismet? Yes. Comment-relish? No. Easy-auctionads? Hell no. Google Sitemaps? Yes. Gregarious? No. Hello Dolly? Fuck no. Feedburner? Yes. Unfancy quote? Hell yes. Share this? Yup. Stats? Yes. Twitter tools? I had to check, but yes apparently. WP Cache? Yes, WordPress is too slow without it. DB Backup? Yup. WP Syntax? Yes, I likes me fancy highlighting.
10 out of 16 enabled. Does it mean that they can’t be exploited without being enabled? Not necessarily, but to an extent, yes. It should die when it gets to an add_action call, unless someone allows it to execute other PHP code or include other files before calling add_action. Though they probably shouldn’t do it in the first place. include($_GET['file']); comes to mind.
And if anyone is wondering where all the scripts are, I’ll have a couple of widgets soon and another couple of python scripts.