Browsing to twentyten or twentyeleven theme displays error and path (7 posts)

  1. MickeyRoush
    Posted 3 years ago #

    I've disabled error reporting so this doesn't affect me, but I can browse to the twentyten or twentyeleven theme directory of almost any live WordPress site and it will throw an error. It varies from site to site, mostly it's an "headers already sent" error. But that's not really the point I'm trying to get across. It reveals the path to their site on their server. Again, this is for almost any live WordPress site that I visit. Seems like this would be a security issue. Did anything happen with recent updates to cause this? I don't seem to recall it in the past, but I seldom browse directly to that directory.

    Here is the example, if you type this in your browser, it will throw the error and reveal the path to the website's server.


  2. Weird. I'm not getting what you're getting on my WordPress install (Apache) or on my Crash Test Dummy (nginx). I'm Ivory soap sure that's a server configuration issue.

    I do get this "403 Get lost" message on my child theme directory.

    You don't have permission to access /wp-content/themes/mostlyharmless-elemin/ on this server.
    Apache/2.2.14 (Ubuntu) Server at blog.dembowski.net Port 80

    But for me that's hardly an issue as that's the path in my HTML. When I get home tonight I'll put a "Silence is golden" index.php file there. ;)

    Edit: Scratch that, as I'm pretty sure putting an empty index.php would break my child theme. Will look more tonight.

  3. esmi
    Forum Moderator
    Posted 3 years ago #

    It reveals the path to their site on their server.

    That's really a server issue - not a WordPress one.

  4. MickeyRoush
    Posted 3 years ago #

    esmi wrote:

    That's really a server issue - not a WordPress one.

    If that's so, why does the Hardening WordPress recommend this:

    I'm about 99% sure that was also put in place to help prevent path exposure as well. If I could find the track/svn I would post the link here.

    Well, I guess I was being to selective. I do see quite a few that don't display any errors as well as ones that do.

    Here is one that is looking for assistance in another thread:

    It throws the error that I'm talking about:

    Fatal error: Call to undefined function get_header() in /home/radiance/public_html/wp-content/themes/twentyten/index.php on line 16

    And another from the same forum:

    And another:

    I could go on and on.

  5. wp-includes is not wp-content.

    Honestly, worrying about your server path is pretty low on the list of things to worry about, but it is a bit odd. I wonder if they didn't wrap it with the usual wp_die messages because themes need to be able to hit things directly (for CSS and images) and this would barf.

    Worrying about someone knowing I'm installed at /home/ipstenu/public_html/ is a bit like worrying that my car has a gas tank anyone can unscrew and pour shit in at the middle of the night.

  6. MickeyRoush
    Posted 3 years ago #

    Yes, I know wp-includes is not wp-content, but the comparison is relevant.

    In my opinion your wrong about knowing the path. If I can symlink your server, I've gotten everything I need to know with the exposed path. With that path I can deduce that your wp-config.php is likely going to be in one of two locations. Once I've symlink'd the file I will then have all the information contained within wp-config.php (or any other file). This error would make some attacks so much easier to achieve.

    And since I used to install car electronics, I've installed car alarms with motion sensors (with pagers) just for the reason that you mentioned, but they also create lockable gas tank covers as well and both are very easy to implement. If you have a car that someone wants to do that to, then you should take the precaution to prevent it (which is pretty easy to do). I believe the same would go for a website. If your site is not that important to you, and you don't think anything will happen because an error exposes your server path, well then, that's your choice. I for one would rather be safe than sorry and I assumed that WordPress/Automattic would be as well. Maybe I'm wrong?

  7. If I can symlink your server, I've gotten everything I need to know with the exposed path.

    Dude, if you can do that, I'm effed anyway, because my server hasn't locked down cross-site protection! You can't symlink to my server without access to my server, like with an NFS mount. Not a security issue anyone's worried about.

    You cannot 'symlink' to someone else's server. You can symlink someone else's account on your own server, provided you have access (and if you do, leave that webhost, they're fools).

    Mine's /home/ipstenu/public_html/

    My WP config is in /home/ipstenu/

    None of these things are secrets.

Topic Closed

This topic has been closed to new replies.

About this Topic