[wp-trac] [WordPress Trac] #17737: Full Path Disclosure

WordPress Trac wp-trac at lists.automattic.com
Thu Jun 9 21:59:41 UTC 2011


#17737: Full Path Disclosure
--------------------------+-----------------------------
 Reporter:  juliobox      |      Owner:
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  Security      |    Version:  3.2
 Severity:  major         |   Keywords:
--------------------------+-----------------------------
 I already email this flaw to security at wordpress.org but Andrew Nacin told
 me that this is not a WordPress flaw, but php server config flaw. So i
 post this here now.[[BR]]

 ----

 ''Exploit'' : http://WEBSITE.COM/?author[]=1 [[BR]]
 ''Problem'' : FPD (https://www.owasp.org/index.php/Full_Path_Disclosure)
 [[BR]]
 ''Solution'' : Add this "@ini_set('display_errors', 0);" or this
 "error_reporting(0);" in the end of wp-config.php file. [[BR]]
 ''Patch'' : [[BR]]
 1) wp-includes/query.php line 2239 [[BR]]
 Replace
 {{{
 $q['author'] = (string)urldecode($q['author']);
 }}}
 by
 {{{
 if ( is_array( $q['author'] ) ) {
 $q['author'] = $q['author'][0];
 }
 $q['author'] = (string)urldecode($q['author']);
 }}}

 2) wp-includes/canonical.php line 142 [[BR]]
 Replace
 {{{
 } elseif ( is_author() && !empty($_GET['author']) && preg_match(
 '|^[0-9]+$|', $_GET['author'] ) ) {
 }}}
 by
 {{{
 } elseif ( is_author() && !empty($_GET['author']) && preg_match(
 '|^[0-9]+$|', !is_array($_GET['author']) ? $_GET['author'] :
 $_GET['author'][0] ) ) {
 }}}
 [[BR]]
 '''Julio''' - [http://www.boiteaweb.fr]

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/17737>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list