[wp-trac] [WordPress Trac] #38317: Fixing full path disclosure in rss.php

WordPress Trac noreply at wordpress.org
Sat Oct 15 09:30:24 UTC 2016 

#38317: Fixing full path disclosure in rss.php
--------------------------+----------------------
 Reporter:  damian1989    |       Owner:
     Type:  defect (bug)  |      Status:  closed
 Priority:  normal        |   Milestone:
Component:  Feeds         |     Version:
 Severity:  minor         |  Resolution:  wontfix
 Keywords:                |     Focuses:
--------------------------+----------------------
Changes (by ocean90):

 * status:  new => closed
 * version:  4.6.1 =>
 * milestone:  Awaiting Review =>
 * keywords:  rss,fpd =>
 * resolution:   => wontfix


Old description:

> Theres a small bug called "full path disclosure" which certainly is not
> dangerous but still not nice.
>
> How to trigger:
> Call the wp-includes/rss.php directly with your browser
>
> You can see the full path because in this context _deprecated_file is not
> defined. Works only when your server displays errors otherwise you just
> get an error 500.
>
> Possible/easy fix:
>
> Make sure it is defined ;)
>
> /**
> * We dont want a file path disclose vulnerability on certain servers.
> */
> if (!function_exists('_deprecated_file')) {
>     exit();
> }

New description:

 Theres a small bug called "full path disclosure" which certainly is not
 dangerous but still not nice.

 How to trigger:
 Call the wp-includes/rss.php directly with your browser

 You can see the full path because in this context _deprecated_file is not
 defined. Works only when your server displays errors otherwise you just
 get an error 500.

 Possible/easy fix:

 Make sure it is defined ;)

 {{{
 /**
 * We dont want a file path disclose vulnerability on certain servers.
 */
 if (!function_exists('_deprecated_file')) {
     exit();
 }
 }}}

--

Comment:

 Hello @damian1989, welcome to Trac!

 The same occurs in most of /wp-includes/*.php and /wp-admin/includes/*.php

 However, [https://make.wordpress.org/core/handbook/testing/reporting-
 security-vulnerabilities/#why-are-there-path-disclosures-when-directly-
 loading-certain-files this is not a security issue], nor is it something
 that intends on being "fixed" as it's not encountered during "standard
 usage". If WordPress is used on a production server, error displays should
 be disabled, and/or direct access to the php files in the above
 directories disabled.

 Additionally, when you created this ticket:
 > '''Do not report potential security vulnerabilities here.''' See the
 [https://make.wordpress.org/core/handbook/reporting-security-
 vulnerabilities/ Security FAQ] and contact !security at wordpress.org.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/38317#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list