[wp-trac] [WordPress Trac] #17737: Full Path Disclosure
WordPress Trac
wp-trac at lists.automattic.com
Thu Jun 9 21:59:41 UTC 2011
#17737: Full Path Disclosure
--------------------------+-----------------------------
Reporter: juliobox | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version: 3.2
Severity: major | Keywords:
--------------------------+-----------------------------
I already email this flaw to security at wordpress.org but Andrew Nacin told
me that this is not a WordPress flaw, but php server config flaw. So i
post this here now.[[BR]]
----
''Exploit'' : http://WEBSITE.COM/?author[]=1 [[BR]]
''Problem'' : FPD (https://www.owasp.org/index.php/Full_Path_Disclosure)
[[BR]]
''Solution'' : Add this "@ini_set('display_errors', 0);" or this
"error_reporting(0);" in the end of wp-config.php file. [[BR]]
''Patch'' : [[BR]]
1) wp-includes/query.php line 2239 [[BR]]
Replace
{{{
$q['author'] = (string)urldecode($q['author']);
}}}
by
{{{
if ( is_array( $q['author'] ) ) {
$q['author'] = $q['author'][0];
}
$q['author'] = (string)urldecode($q['author']);
}}}
2) wp-includes/canonical.php line 142 [[BR]]
Replace
{{{
} elseif ( is_author() && !empty($_GET['author']) && preg_match(
'|^[0-9]+$|', $_GET['author'] ) ) {
}}}
by
{{{
} elseif ( is_author() && !empty($_GET['author']) && preg_match(
'|^[0-9]+$|', !is_array($_GET['author']) ? $_GET['author'] :
$_GET['author'][0] ) ) {
}}}
[[BR]]
'''Julio''' - [http://www.boiteaweb.fr]
--
Ticket URL: <http://core.trac.wordpress.org/ticket/17737>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list