[wp-trac] [WordPress Trac] #45773: Full Path Disclosure if we access the file directly
WordPress Trac
noreply at wordpress.org
Wed Dec 26 19:17:36 UTC 2018
#45773: Full Path Disclosure if we access the file directly
--------------------------+------------------------
Reporter: alishanvr | Owner: (none)
Type: defect (bug) | Status: closed
Priority: normal | Milestone:
Component: Security | Version:
Severity: normal | Resolution: duplicate
Keywords: | Focuses:
--------------------------+------------------------
Comment (by alishanvr):
Hi,
I can do it to all the core files.
if needed.
I can understand that we have to turn off the errors on live env. But I
think this should be implemented by WP by default. As there are several
hostings.
and if we search on google dork we can found alot of websites.
in the end, people said that we are using WP thats why we are facing such
problems.
Is this not good if WP also have some checkups to avoid these kind of
errors.
If you assign this task to me. then I can implement same strategy on
almost all the core files.
Replying to [comment:3 swissspidy]:
> Hi @alishanvr and welcome to WordPress Trac!
>
> This has come up many times before, for example in #36177, #30806, and
most recently in #44700.
>
> Path disclosure is a server configuration problem. Never enable
`display_errors` on a production site. See
[https://make.wordpress.org/core/handbook/testing/reporting-security-
vulnerabilities/ Security FAQ].
--
Ticket URL: <https://core.trac.wordpress.org/ticket/45773#comment:4>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list