WordPress.org

Forums

multiple full path disclosures (3 posts)

  1. Kuh
    Member
    Posted 9 years ago #

    I found multiple full path disclosures in the recent release 2.0:
    - http://HOST/wp-includes/vars.php
    - http://HOST/wp-includes/template-loader.php
    - http://HOST/wp-includes/locale.php
    - http://HOST/wp-includes/kses.php
    - http://HOST/wp-includes/default-filters.php
    - http://HOST/wp-admin/admin-footer.php

    Each file calls to an undefined function and therefor prints the full path of the file's location.

  2. scaturan
    Member
    Posted 9 years ago #

    please excuse my ignorance & enlighten some of us as to what is significant about full path disclosures. we're ready when you're ready. :)

  3. Kuh
    Member
    Posted 9 years ago #

    Sorry, I thought this would be commonly known. My fault, as it doesn't seem to be true.

    A full path full path disclosure gives you information about a system you are not supposed to have. It prints the whole path of the affected file. The output of one of the files I posted above is:

    Hope that helps to understand the meaning of those errors :)
    "Fatal error: Call to undefined function: _e() in /var/www/somesite.com/htdocs/wp-admin/admin-footer.php on line 4""
    You know know that this server stores it websites using the scheme /var/www/[sitename.tld]/. This is not yet critical but has a significance regarding security. When trying to exploit a system this information can be useful for the attacking person as it tells system information which definetly are not meant to be public.

    Hope that helps to understand the problem with those errors :)

    edit: Not sure, if this is the correct place to talk about this issue as I just found out that there is an email address for reporting security issues.
    Sorry for discovering this not earlier. If a moderator thinks that this is not the right place here, feel free to remove my posts.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags

No tags yet.