[wp-trac] [WordPress Trac] #30806: Security: Full Path Disclosure
WordPress Trac
noreply at wordpress.org
Sun Dec 21 11:49:07 UTC 2014
#30806: Security: Full Path Disclosure
-----------------------------+-----------------------------
Reporter: smartifahrer | Owner:
Type: feature request | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version: 4.1
Severity: normal | Keywords:
Focuses: |
-----------------------------+-----------------------------
On Sergej Müller Website, i found a post about "Full Path Disclosure" (in
german) http://cup.wpcoder.de/fpd-vulnerability-wordpress/
On some hostern (1&1) it is not posible or easy to change PHP settings so
that error not shown.
Example: http://www.langer-webmedia.de/wp-includes/rss.php
So is you direct access an wordpess PHP-file you get a error message and
see the server path.
In Joomla there is a simple solution to prevent this
Fist tey define a constant in files with direct access.
define('_JEXEC', 1);
Then in all other files they check if the constant is defined or die
defined('_JEXEC') or die('Restricted access');
This works fine. This can make Wordpress more secure. Ok, to make this we
must add a line of code in all files. But i think its worth.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/30806>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list