[wp-trac] [WordPress Trac] #45773: Full Path Disclosure if we access the file directly
WordPress Trac
noreply at wordpress.org
Wed Dec 26 17:42:08 UTC 2018
#45773: Full Path Disclosure if we access the file directly
--------------------------+--------------------------------------------
Reporter: alishanvr | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version:
Severity: normal | Resolution:
Keywords: | Focuses: performance, coding-standards
--------------------------+--------------------------------------------
Comment (by joyously):
You would need to patch a lot more files than just that one to get around
this.
See https://wordpress.slack.com/archives/C60K3MP2Q/p1545190442268800
which is where, on Dec 18, I posted in #core-php:
I was looking at my security plugin log and there were attempts to find
known theme files like twentyfifteen/404.php and
twentyseventeen/footer.php that got a 404 on my site since it's in a
subfolder. So I wondered why someone would look for that, and came to the
conclusion that it will fatal and expose the server path to the folder.
I'm not sure what use this is to a hacker, but with the WSOD protector
code in place, would that make it better or worse for the hacker?
--
Ticket URL: <https://core.trac.wordpress.org/ticket/45773#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list