Monday, August 29, 2016

Wordpress Test Environment Requests

Why would somebody make a request to this path?

GET /test/wp-admin/

It appears this is a common, perhaps the default, location to install your "test" environment for a Wordpress blog. The problem appears to be if I do a google search for test wp-admin pages I get a bunch that are indexed and accessible.

I would never advise having your test environment accessible to the internet. Only have it accessible locally, you're just asking for trouble because test environments are never as locked down and monitored as production, and if your test blog is on the same server as production then you've just created a backdoor to production if an attacker can get into your test environment they're on your production server.

Another perhaps even bigger problem is that when I do the google search, most of these folders return directory listing and allow access to potentially sensitive files. Uh-oh. Lock down your test environments or remove them if you don't need them because the bad guys are looking for them!

More about neonprimetime

Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java

Top Github Contributions
  1. Qualys Scantronitor 2.0

Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

No comments:

Post a Comment