You’re In My Server, Looking At My Plugins

Apparently, people realized that if they have their folders indexable, they could be indexed. OMG! And that you can view you plugins directory via Google. Holy crap!

First off, their google dork isn’t even right. Index of /wp-content/plugins should clearly be intitle:"Index of /wp-content/plugins" or else I’ll get your’s and this shitty post in the results.

But that’s not even that good. It only applies to people with their blog hosted in the root directory. If you have it in the blog/ directory, you don’t get hit.

So now, the query should be intitle:"Index of"+intitle:"/wp-content/plugins". This returns about 50k more results.

But what about the usefulness of this?

Let’s say there is a vulnerability in the “Share This” plugin.

We can try the directory way that’s supposedly so vulnerable. intitle:"Index of /wp-content/plugins" share-this.php 40 hits

Or a better method. We know that the plugin adds a link called “Share This” to every post. Don’t believe me? Scroll down a bit and you’ll see it. So we can search for “Share This” on pages with the word wordpress, since that’s usually in the footer, but not if it uses the word plugin, since it’s probably talking about the plugin itself or have wordpress or Share This in the title since it’s likely to also just be talking about the plugin itself. wordpress+"Share This" -plugin -intitle:"wordpress" -intitle:"Share This" 3.3 million hits.

Sure, there will be false positives, but there’s a much greater changes of having a much bigger impact. Who cares about the false positives? If it doesn’t work, it doesn’t work. Just move on. You could start it at night and have tried all the sites before even waking up, well, maybe, probably not, but you’ll have a lot more than 40.

I’m thinking the severity of the whole directory being exposed is a little dramatic. Yeah, it’s probably better if it wasn’t indexed, but it’s not killing anyone. Now, if you have a password in there, that’s a different case.

In fact, here is my plugin directory. (I have indexes off by default, mainly because netfirms doesn’t use Apache’s indexing thing)

% ls -lA wp-content/plugins
total 1400
drwxr-xr-x  2 2701791  552     512 May  8 18:41 404-notifier
-rw-r--r--  1 2701791  552    4667 May  8 18:41 404-notifier.tar.gz
drwxr-xr-x  3 2701791  552     512 May  7 22:18 PostToTwitter
-rw-r--r--  1 2701791  552    2134 May  7 22:16 PostToTwitter.tar.gz
drwxr-xr-x  2 2701791  552     512 Apr 21 16:03 akismet
drwxr-xr-x  2 2701791  552     512 May  8 18:41 comment-relish
-rw-r--r--  1 2701791  552    3536 May  8 18:35 comment-relish.tar.gz
drwxr-xr-x  2 2701791  552     512 May  7 22:18 easy-auctionads
-rw-r--r--  1 2701791  552    7542 May  7 22:16 easy-auctionads.tar.gz
-rw-r--r--  1 2701791  552   54904 Apr 21 15:20 goog.tar.gz
drwxr-xr-x  2 2701791  552    1024 Apr 21 16:20 google-sitemap-generator
drwxr-xr-x  5 2701791  552     512 Apr 21 16:49 gregarious
-rw-r--r--  1 2701791  552  109199 Apr 21 15:49 gregarious.tar.gz
-rwxr-xr-x  1 2701791  552    2025 Oct 25  2006 hello.php
-rw-r--r--  1 2701791  552    5152 Nov 16  2006 ol_feedburner.php
-rw-r--r--  1 2701791  552    1861 Jul 24  2006 sem-unfancy-quote.php
drwxr-xr-x  2 2701791  552     512 May  8 18:40 share-this
-rw-r--r--  1 2701791  552   14032 May  8 18:35 share-this.tar.gz
drwxr-xr-x  2 2701791  552     512 May  7 22:17 stats
-rw-r--r--  1 2701791  552    5213 May  7 22:16 stats.tar.gz
drwxr-xr-x  3 2701791  552     512 May  8 18:41 subscribe-to-comments
-rw-r--r--  1 2701791  552   16017 May  8 18:36 subscribe-to-comments.tar.gz
drwxr-xr-x  2 2701791  552     512 May  8 18:40 twitter-tools
-rw-r--r--  1 2701791  552   17148 May  8 18:36 twitter-tools.tar.gz
drwxr-xr-x  4 2701791  552     512 Apr 21 21:47 widgets
-rw-r--r--  1 2701791  552   26579 Apr 21 20:48 widgets.tar.gz
drwxr-xr-x  2 2701791  552     512 Apr 21 16:20 wp-cache
-rw-r--r--  1 2701791  552   47104 Apr 21 15:21 wp-cache.tar
-rw-r--r--  1 2701791  552   31091 Jul 26  2006 wp-db-backup.php
drwxr-xr-x  4 2701791  552     512 Apr 25 12:54 wp-syntax
-rw-r--r--  1 2701791  552  309747 Apr 25 12:56 wp-syntax.tar.gz

Yes, I download the zips then convert them to tarballs, that’s why all of my widgets are available in both formats.

But it also raises another question, how many of those do I have enabled?

404Notifier? No. PostToTwitter? No. akismet? Yes. Comment-relish? No. Easy-auctionads? Hell no. Google Sitemaps? Yes. Gregarious? No. Hello Dolly? Fuck no. Feedburner? Yes. Unfancy quote? Hell yes. Share this? Yup. Stats? Yes. Twitter tools? I had to check, but yes apparently. WP Cache? Yes, WordPress is too slow without it. DB Backup? Yup. WP Syntax? Yes, I likes me fancy highlighting.

10 out of 16 enabled. Does it mean that they can’t be exploited without being enabled? Not necessarily, but to an extent, yes. It should die when it gets to an add_action call, unless someone allows it to execute other PHP code or include other files before calling add_action. Though they probably shouldn’t do it in the first place. include($_GET['file']); comes to mind.

And if anyone is wondering where all the scripts are, I’ll have a couple of widgets soon and another couple of python scripts.

All of Google’s Toolbar Functionality, Without the Toolbar

I don’t like Google’s Toolbar, or really toolbars in general. Maybe it’s because it brings back memories of horrible IE interfaces with way too many, or that the logos are just bright and don’t fit in at all, or maybe it’s just that I like to see as much page as possible. But for whatever the reason, it’s got to go.

But I run into a problem, I like some of the features, mainly Web History and showing the current PageRank. Finding out about unread gmail messages. And even though I still mainly use regular old bookmarking, I guess the ability to bookmark the page might be useful. Thankfully, there are alternatives to them all.

First, Web History and PageRank can easily be fixed by the Search Status plugin. This shows the PageRank and Alexa rank for the current page/site. What’s good about this, Google records the Web History by using the PageRank lookup, meaning that we don’t need anything else for us to use the Web History app.

Download Search Status

Next, getting unread count of Gmail messages. There are a few plugins that do this, but the best one, imo, is Gmail Manager. This allows you to check multiple accounts (better than the toolbar), set the refresh rate, and won’t take up valuable toolbar space, since it sits at the bottom of the browser.

Download Gmail Manager

Finally, the bookmarking. There are quite a few extensions out there, but I didn’t like any of them, so I wrote my own Greasemonkey script. You’ll still need something to view the bookmarks, but bookmarking a page is as simple as a key press. Hit the Pause/Break button and the current page will be saved to Google Bookmarks. Nothing else. You need Greasemonkey to use this.

Download Google Bookmarks via Key Press User Script

And now I don’t need the Google Toolbar anymore. Yay!