Web application information disclosure vulnerability

  • Resolved happyday25

    (@happyday25)


    6 months, 1 week ago

    Hello, I recently performed a vulnerability scan on my ecommerce site and the results came back as failing due to what looks like a warning with the BulletProof Security plugin. How would I fix this so that the warning doesn’t display the path information or is there a way to remove the warning altogether?

    Here is a sample of the scan results:

    Synopsis

    The remote web application discloses path information.

    Why is this a risk?

    At least one web application hosted on the remote web server discloses the physical path to its directories when a malformed request is sent to it.

    Leaking this kind of information may help an attacker fine-tune attacks against the application and its backend.

    Data Received

    The request GET /wp-json/oembed/1.0/embed?format=embed%00.html HTTP/1.1
    Host: example.com
    Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
    Accept-Language: en
    Connection: Keep-Alive
    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
    Pragma: no-cache
    Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, /

    produces the following path information :

    Warning: session_start(): open(/var/cpanel/php/sessions/ea-php82 /sess_f02bf61f75639db56553090e9192ccb752, O_RDWR) failed: No such file or directory (2) in /home/username/public_html/example.com/wp-content/plugins/bulletproof-security/403.php on line 3

    Warning: session_start(): Failed to read session data: fil […]

Viewing 9 replies - 1 through 9 (of 9 total)
  • Plugin Author AITpro

    (@aitpro)

    6 months, 1 week ago

    Where are you seeing the PHP errors? In your PHP error log or somewhere else? What vulnerability scanner are you using? A plugin? An online scanner?

    • This reply was modified 6 months, 1 week ago by AITpro.
    Plugin Author AITpro

    (@aitpro)

    6 months, 1 week ago

    What vulnerability scanner are you using? A plugin? An online scanner? Where are you seeing the PHP errors? In your PHP error log or somewhere else?

    Thread Starter happyday25

    (@happyday25)

    6 months, 1 week ago

    I am using an external vulnerability scanner through SecurityMetrics, they work in cyber security and PCI compliance. It is the AVS scanner they provide.

    It looks like the errors are showing in the PHP error log. /home/username/logs/example.com.php.error.log. There is a second error after the one I listed above as well. Here are both together:

    Warning: session_start(): open(/var/cpanel/php/sessions/ea-php82 /sess_f02bf61f75639db56553090e9192ccb752, O_RDWR) failed: No such file or directory (2) in /home/username/public_html/example.com/wp-content/plugins/bulletproof-security/403.php on line 3

    Warning: session_start(): Failed to read session data: files (path: /var/cpanel/php/sessions/ea-php82) in /home/username/public_html/example.com/wp-content/plugins/bulletproof-security/403.php on line 3

    Plugin Author AITpro

    (@aitpro)

    6 months, 1 week ago

    A PHP error log cannot be viewed externally by someone else unless there is some kind of problem with file permissions. So that hosting account path would only be viewable by someone who either has hosting account access or WordPress Administrator access. Try viewing your PHP error log from a browser and let me know if you can view it externally. You would need to use the URL path and not a file path. example: https://www.example.com/error_log

    Plugin Author AITpro

    (@aitpro)

    6 months, 1 week ago

    Just a word of caution: I did a little checking on SecurityMetrics and they are known for aggressive sales tactics. Take a look at their reviews on TrustPilot.

    Thread Starter happyday25

    (@happyday25)

    6 months, 1 week ago

    Thanks for the heads up about SecurityMetrics, they have been a bit pushy on the sales side at times but the scans are part of a general compliance regulation that I have to meet so I would have to address this regardless of who did the scan.

    I have the file permissions for the error log set so that they cannot be viewed publicly. When going to the URL path while logged out it shows a 403 forbidden page but the BPS errors are visible at the top. Below is all of the content on the 403 page.

    Warning: session_start(): open(/var/cpanel/php/sessions/ea-php82 /sess_f02bf61f75639db56553090e9192ccb752, O_RDWR) failed: No such file or directory (2) in /home/username/public_html/example.com/wp-content/plugins/bulletproof-security/403.php on line 3

    Warning: session_start(): Failed to read session data: files (path: /var/cpanel/php/sessions/ea-php82) in /home/username/public_html/example.com/wp-content/plugins/bulletproof-security/403.php on line 3

    403 Forbidden Error

    If you arrived here due to a search or clicking on a link click your
    Browser’s back button to return to the previous page. Thank you.

    Website: example.com

    Your IP Address: xx.xx.xxx.x

    BPS Plugin 403 Error Page

    Plugin Author AITpro

    (@aitpro)

    6 months, 1 week ago

    Ah ok then the reason for that is you either have the display_errors directive set to On instead of Off in your php.ini or .user.ini file under the root of your hosting account or you have WP_DEBUG set to display errors in your wp-config.php file. See the WordPress WP_DEBUG code below. You should always have WP_DEBUG set to false on a Production/Live website and only set the value to true briefly when debugging. Some web hosts allow you to set display_errors values in your web host control panel. If your web host does not have the feature then you would create a plain text file called either php.ini or .user.ini and add this directive in the file: display_errors=Off and upload the file to your hosting account root folder.

    define('WP_DEBUG', false);
    define('WP_DEBUG_LOG', false);
    define('WP_DEBUG_DISPLAY', false);

    Thread Starter happyday25

    (@happyday25)

    6 months, 1 week ago

    It was the php.ini and .user.ini that were the issue. I set display_errors to off for both and the warnings are not visible now. Thank you so much for the help!

    Plugin Author AITpro

    (@aitpro)

    6 months, 1 week ago

    Yay!

Viewing 9 replies - 1 through 9 (of 9 total)

The topic ‘Web application information disclosure vulnerability’ is closed to new replies.