WordPress.org

Ready to get started?Download WordPress

Forums

[closed] full path disclosure: security problem (29 posts)

  1. Dextro
    Member
    Posted 8 years ago #

    Is it normal that everything is plain browseable with a default installation?
    Everyone can just look inside wp-content en see which themes, plugins en so on are installed.
    And if you go to a theme file, then you have a full path disclosure.

    example:
    browsable: http://www.example.com/wp-content/
    full path: http://www.example.com/wp-content/default/index.php

    I think that's a serious security problem.

    edit: sorry, wrong subforum....

  2. emt036
    Member
    Posted 8 years ago #

    This has nothing to do with WordPress, it is the default set-up of your web-server. If you are using Apache, add this to your .htaccess:

    Options All -Indexes

  3. Dextro
    Member
    Posted 8 years ago #

    I know that's a solution for the open dir problem, but maybe this should be in de .htaccess in the initial installation.

    And it doesn't change anything with the full path disclosure:
    http://www.example.com/wp-content/themes/default/index.php

  4. James
    Happiness Engineer
    Posted 8 years ago #

    I really wouldn't go as far to say that this is a security concern, especially since 99.99999% of all WordPress users have their theme files in /wp-content/themes/, 99.99999% of all WordPress users have their plugin files in /wp-content/plugins/, and 99.99999% of all WordPress users have their admin files in /wp-admin/ . What I'm trying to get at here is that the file path really doesn't matter. If someone has the technical know-how to mess with your files, they probably already know where to look.

  5. Dextro
    Member
    Posted 8 years ago #

    In all other projects (Drupal, php-nuke, ...), they take this stuff seriously.

    I think it should be wise to ad this the default .htaccess file:

    Options All -Indexes
    # Turn off display_errors
    php_flag display_errors off

  6. neuro
    Member
    Posted 8 years ago #

    Dextro: you're looking security issues on the wrong place, this for 2 reasons:
    1/ .htacess is not enabled on every host so your solution is not a real one as it will only target a few person.

    2/ as macmanx said, 99.99999999% WordPress users will use the standard install path for plugins and themes.

    A clever - or at least normal - sys admin will not allow Indexes option and PHP errors displaying, even if on public web hosts it's usefull because you can't check logs.

    A simple solution should be to put a void index.php into those directories. Will work everywhere.

    I think it's not a wordpress concern and you just want to make a fuss claiming you have discovered a major security flaw on an open source project. Come back to play here when you're grown up

  7. neuro
    Member
    Posted 8 years ago #

    Oh, and talking about phpNuke it's been on the top holed applications list of all security mailing lists for years.

    Was not a very good idea to cite it as a modele of security concerns IMHO

  8. Ryan Duff
    Member
    Posted 8 years ago #

    If you would have cited M$ Windows as a comparison then we might have believed you :P

  9. davidchait
    Member
    Posted 8 years ago #

    Hmmm. Makes me wonder why there isn't a default 'secure' index.php file in all WP subfolders, and then a 'standard' that anyone can include in their own created folders? I know there are index.php files in some of the subfolders...

    -d

  10. Dextro
    Member
    Posted 8 years ago #

    neuro: about point 1, you're right, i forgot that. And an empty index is a good alternative.

    All the other crap you wrote under it sais more about you then about me... Btw, where did I wrote that phpnuke was a modele?
    I discover nothing, it was only a simple question, but apparantly you folks don't accept 'new' people in here... Especially the sentence about growing up doesn't make sense in any way.

    Just don't forget, a peace of code can only come better if you folks accept some criticism. And yes, I have some other questions and things that maybe could be better, but I now just discovered that it is better to shut up in here.

  11. neuro
    Member
    Posted 8 years ago #

    We should add a small script that creates empty index.php on every indexless folder at install time that should be regenerated the way the permalinks are.

    But I guess there will be people who wants to have indexless directory and who will complain about this.

    But I still believe this is really a sysadmin issue more than a WordPress concern.

  12. Dextro
    Member
    Posted 8 years ago #

    What could be the avantage of an indexless dir?

  13. davidhouse
    Member
    Posted 8 years ago #

    If we go ahead with this, don't make the index.php completely empty, at least send out a 403 header.

  14. chuyskywalker
    Member
    Posted 8 years ago #

    Wait a sec. Exactly what is the security issue here? Am I reading this wrong, or are you upset that I can browse to youriste.com/wp-content/plugins/ and view what plugins you run?

    So what? I click on a plugin and it errors out. Everything is PHP executeable, so no critical information is revealed. And what's the harm in seeing what other people have installed?

    I like the fact that I can browse most WP sites like this. It helps me to learn, and often times helps me out while I am troubleshooting a site.

  15. James
    Happiness Engineer
    Posted 8 years ago #

    Am I reading this wrong, or are you upset that I can browse to youriste.com/wp-content/plugins/ and view what plugins you run?

    Apparently that is the issue here.

  16. chuyskywalker
    Member
    Posted 8 years ago #

    Apparently that is the issue here.

    Hrm...

    I think that's a serious security problem.

    I can't see how this is 1) a security issue or 2) serious. It's more like a "i don't want people seeing my files" issue which should probably be decided on a site to site basis by those who care to lock it down. I would no recommend this to be a default.

  17. Dextro
    Member
    Posted 8 years ago #

    The security problem is that you can see the whole path structure where your wordpress is installed. For example with the website of macmanx:
    Go to: http://www.macmanx.com/wordpress/wp-content/themes/default/index.php

    and you get:
    Fatal error: Call to undefined function: get_header() in /home/macmanxc/public_html/wordpress/wp-content/themes/default/index.php on line 1

    Now you have the full path of the installation on the server, also known as Full Path Disclosure, but apparantly no one has ever heard of that here before.

    I just want to help making things safer, no problem for me. I don't use WordPress.

    .

  18. Firas
    Member
    Posted 8 years ago #

    Dextro: no, we've heard of it... it's just something that should be turned off in the PHP install. If your host lets you throw out errors to the browser, your host is doing you a disservice.

    If you remain unretractable in your contention that a sysadmin issue just *has* to be taken care of by WordPress, please file a bug: http://trac.wordpress.org

  19. Firas
    Member
    Posted 8 years ago #

    As for themes and plugins, you raise an interesting issue---it can't be too hard to just lead wp include them and not execute upon a GET request by the browser.

  20. Mark (podz)
    Support Maven
    Posted 8 years ago #

    And to anyone reading this who is worried, I would go back to the one topic about security you should not ignore: Your Password.

    That is your weakest link.
    Not server stuff, not php code, not exploits or XSS.

    Use a decent password, and do not think it up yourself:
    http://www.anypassword.com/
    It's free, Use it.

  21. chuyskywalker
    Member
    Posted 8 years ago #

    Dextro: Perhaps I'm daft on this issue, but how is that comprimising data? Most home paths like that can be guessed -- especially on shared hosting like <i>most</i> people have.

    Aside from being an ugly error message, what paths does this lead or potential hacker down? Unless the hacker has an account on your shared server, and the server isn't jailrooted (or whatever that technique is called) then I'm not aware of how this comes as useful information.

    Enlighten me (us) ?

  22. whooami
    Member
    Posted 8 years ago #

    This solved by including an empty index.html in empty dirs, or dies where there isnt already something that would be called by defualt. That IS something that MOST seriouus software developers already do

  23. Ryan Duff
    Member
    Posted 8 years ago #

    whoami: are you saying wordpress isn't serious software?

    Quote taken on full path disclosure:

    Most PHP error/warning/notice msg can reveal physical path. But path disclosure does nothing unless you intend to gain root access to target account, e.g. FTP access through anonymous FTP vulnerabilities.

    They would have to find another vulnerability on the box for the full path disclosure to be of any use to them.

    Other than that, a google for "full path disclosure" just returns a ton of bugs in php-nuke. All multiple-set bugs are a high risk ... bug and a low risk full path disclosure.

    On another note, why not just add:
    php_flag display_errors off to the .htaccess and you won't show the paths for anymore errors. Who cares what plugins you have installed?

  24. whooami
    Member
    Posted 8 years ago #

    `php_flag display_errors off to the .htaccess and you won't show the paths for anymore errors. Who cares what plugins you have installed?'

    1. because not everyone can or wants to do that?

    2
    lots of people care.
    lots of people are nosy.
    lots, in fact most of your userbases's login names are IN FACT revealed in that aforementioned and semi-dismissed directory traversal 'issue'. Some ppl may even have that as their root MySQL login name. Guess what? They pay for hosting -- they cant change it just because you decided an empty index.html was too tough for you to include.

    I can rattle off atleast a handful of web based apps that provide a simple damn index.html in those dirs that they ALREADY know need them.

    Why does it seem that the very minute anyone brings up what might be a very small thing to do, people get so damn defensive?

    Its such a simple thing to do, I dont see why you dont say, "gee ya know, yeah thats a good idea, we forgot that, we overlooked that, we whatever.. good job, thanks for that", and let it go, instead of passing off some damn error blocking code thing for ppl; to put into their .htacccess.

    How 'about putting that in your docs:

    Some pages of your admin area may be subject to either directory traversal errors (yes I submitted the bug about it) but we decided that YOU should have to add a line to your .htaccess squelching errors because we are too damn arrogant OR lazy OR bullheaded to admit we overl0ooked it"

    I certainly hope you never intend on this turning into a commercial endeavor. Cuz your customer care is really starting to suck. I have to tell you too, that you can delete or moderate disparaging posts all day long -- as your userbase grows the complaints are going to grow along with it. You can either address them or not I guess, in the end the fallout will be wordpress' problem.

    the last time I checked this was made by humans, right, or did you all pass over into diety stutus?

  25. moshu
    Member
    Posted 8 years ago #

    On another note, why not just add:
    php_flag display_errors off to the .htaccess ...

    That's the biggest problem with the so-called "inner circle" of WP people. You, guys, seem to ha have no idea what the real world of the average user looks like. The average joe (and BTW you are proudly boasting about their numbers in the download counter!) has no programming knowledge, doesn't know what the .htaccess file is, even if he has one created by WP for permalinks still doesn't know how to edit it, he is blogging from a freaking windoz machine and in the best case scenario is able to ftp the files. That's it.
    Any fancy advice about php code, telnet, command lines and other BS (so often seen around) will not help WP to become as popular as it could be. It is time to start to think about install, docs and everything for the average win pc population. Or if the target group for "marketing" is different - say so on the first page of WP.

  26. chuyskywalker
    Member
    Posted 8 years ago #

    You can either address them or not I guess, in the end the fallout will be wordpress' problem.

    the last time I checked this was made by humans, right, or did you all pass over into diety stutus?

    So, wait, which part is going to be the downfall of WordPress? Is it the fact that WP devs are -- apparently-- gods, or this whole "full path disclosure" thing?

    Wow, this thread got outta control, but at least you're making it interesting to read!

  27. Mark (podz)
    Support Maven
    Posted 8 years ago #

    On one host I have, you cannot see a directory listing (of any directory without an index )as they have disabled it.
    On my main host, you can - this thread prompted me to check - so I have implemented the .htaccess across the domain. I have NOT done this because of WordPress as that is easily solved - as whooami says - by including a simple index file in a few directories, or because of any PATH info. I maintain that passwords are the biggest risk.

    I've done it because image galleries and other directories not related to WP can be 'looked into' if the option is not disallowed and while I've nothing to hide, I can do without some jackass eating bandwidth by downloading everything. I can think of half a dozen bloggers who if I can see their image listings I could chew their BW allocation.
    So yes, there may well be a risk (I defer to the people who know more) but equally there are very good reasons for not allowing this anyway.

  28. whooami
    Member
    Posted 8 years ago #

    chuyskywalker,

    I used the word 'fallout' not 'downfall'. They have the same amount of syllables but are different words and have different meanings.

  29. Matt Mullenweg
    Troublemaker
    Posted 8 years ago #

    Whooami, please calm down and come back later. Your concern has been noted.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags

No tags yet.