[wp-trac] Re: [WordPress Trac] #1038: Limit access to php files
WordPress Trac
wp-trac at lists.automattic.com
Tue Apr 29 08:47:01 GMT 2008
#1038: Limit access to php files
-----------------------------+----------------------------------------------
Reporter: anonymousbugger | Owner: matt
Type: defect | Status: reopened
Priority: normal | Milestone:
Component: Security | Version: 2.5
Severity: normal | Resolution:
Keywords: needs-patch |
-----------------------------+----------------------------------------------
Changes (by thenlich):
* priority: lowest => normal
* status: closed => reopened
* version: 2.0.2 => 2.5
* resolution: wontfix =>
* severity: trivial => normal
Comment:
This bug is related to #1335 and exposes the server to path info
disclosure for most servers, since (unfortunately) the default PHP setting
for display_errors is 1.
Path info disclosure is not a trivial issue, as it provides an attacker
with vital information for exploiting potential security holes.
In addition, path info disclosure is only one symptom, other issues might
exist (for example in plugins) if a PHP file which should only be included
is called directly.
Suggested fix:
The only secure method is to put all include files in a separate directory
structure, definable in wp-config.php (e.g. WPINC) so that security-
conscious admins can install this part in a directory outside the docroot
of the webserver or disallowing access with other means (.htaccess) for
this stuff!
It is not difficult to do this change, it only requires the include path
to be configurable in a central location.
Current situation is that is a real defect in the application, and it is
worth fixing this, so I reopen.
--
Ticket URL: <http://trac.wordpress.org/ticket/1038#comment:17>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list