[wp-trac] [WordPress Trac] #38317: Fixing full path disclosure in rss.php
WordPress Trac
noreply at wordpress.org
Sat Oct 15 09:15:26 UTC 2016
#38317: Fixing full path disclosure in rss.php
--------------------------+-----------------------------
Reporter: damian1989 | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Feeds | Version: 4.6.1
Severity: minor | Keywords: rss,fpd
Focuses: |
--------------------------+-----------------------------
Theres a small bug called "full path disclosure" which certainly is not
dangerous but still not nice.
How to trigger:
Call the wp-includes/rss.php directly with your browser
You can see the full path because in this context _deprecated_file is not
defined. Works only when your server displays errors otherwise you just
get an error 500.
Possible/easy fix:
Make sure it is defined ;)
/**
* We dont want a file path disclose vulnerability on certain servers.
*/
if (!function_exists('_deprecated_file')) {
exit();
}
--
Ticket URL: <https://core.trac.wordpress.org/ticket/38317>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list