[wp-trac] [WordPress Trac] #61003: Direct access to .php files in /wp-includes is not protected out of the box
WordPress Trac
noreply at wordpress.org
Fri Apr 12 22:28:17 UTC 2024
#61003: Direct access to .php files in /wp-includes is not protected out of the box
--------------------------+-----------------------
Reporter: teo8976 | Owner: (none)
Type: defect (bug) | Status: reopened
Priority: normal | Milestone:
Component: Security | Version: 6.5
Severity: critical | Resolution:
Keywords: | Focuses:
--------------------------+-----------------------
Changes (by teo8976):
* status: closed => reopened
* resolution: duplicate =>
Comment:
> we're already tracking this issue in #18546.
**Not really**. #18546 only talks about adding `index.php` in the
directory, which prevents requesting `/wp-includes` or `/wp-includes/` and
(potentially, depending on server configuration, not in my case actually)
getting a listing of the directory.
But that won't prevent a request to **`/wp-includes/any-existing-
file.php`** (e.g. `/wp-includes/rss.php`) from **directly executing php
files** in that directory that are only supposed to be included from other
scripts. Which btw is also the potential security risk (although I hope
you're already making sure that each of those files doesn't pose a
security risk even if called from where it shouldn't be called).
> errors like this are considered a server configuration issue
If you are talking about the errors being displayed because of
`display_errors`, that's completely besides the point. The errors being
displayed are not the issue. The issue is the php file being requested
directly and executed, whether or not it triggers an error.
For example, if you request `/wp-includes/pluggable.php`, you will get a
200 response with a blank page, instead of a proper 404 page, which is
awfully wrong.
BTW I misspoke when I said:
> Expected:
> should give a "403 Forbidden" response
The correct response is a 404, with the pretty "page not found" page.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/61003#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list