[wp-trac] [WordPress Trac] #44663: Disallow direct access to wp-includes php files
WordPress Trac
noreply at wordpress.org
Sat Jul 28 18:02:31 UTC 2018
#44663: Disallow direct access to wp-includes php files
-----------------------------+-----------------------------
Reporter: lucasbustamante | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version: 4.9.7
Severity: normal | Keywords:
Focuses: |
-----------------------------+-----------------------------
Running WP Scan on my website, I saw a full path disclosure vulnerability
under **wp-includes/rss-functions.php**
Error code:
{{{
<?php
Call to undefined function _deprecated_file() in
/home/mydomain/public_html/wp-includes/rss-functions.php on line 8
}}}
This is it's source code:
{{{#!php
<?php
<?php
/**
* Deprecated. Use rss.php instead.
*
* @package WordPress
*/
_deprecated_file( basename(__FILE__), '2.1.0', WPINC . '/rss.php' );
require_once( ABSPATH . WPINC . '/rss.php' );
}}}
A lot of files under wp-includes look similar to this one.
I wonder if it would make sense to prevent direct access to these files,
since it uses _deprecated_file() function, which is loaded with WordPress.
{{{#!php
<?php
if ( ! defined( 'ABSPATH' ) ) exit;
}}}
I have turned off display_errors on my website, but still, makes sense to
me. Other people are having this issue, and many others don't even know
what WP Scan is and are vulnerable without even knowing.
https://wordpress.stackexchange.com/questions/203123/full-path-disclosure-
on-rss-functions-php
--
Ticket URL: <https://core.trac.wordpress.org/ticket/44663>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list