WordPress internal path vulnerability

  • Resolved steve-d

    (@steve-d)


    13 years, 9 months ago

    This is odd. A scan shows some kind of error, giving away internal path information. This never showed up before and the most recent upgrade was just the Twenty Ten Theme to 1.1

    The internal path anomaly is . . (I used * just to not give out information here.)
    /data/*/*/*/*/*/user/*/*/*/wp-content/themes/default/index.php

    So how do I turn off errors with no php.ini?
    display_errors = Off

    Using WordPress 3.0

Viewing 6 replies - 1 through 6 (of 6 total)
  • Moderator Ipstenu (Mika Epstein)

    (@ipstenu)

    🏳️‍🌈 Advisor and Activist

    13 years, 9 months ago

    A … scan? What kind of scan? Is this on the front end of your site?

    Thread Starter steve-d

    (@steve-d)

    13 years, 9 months ago

    A … scan?

    An external vendor scan. Basically the main question is how to set display_errors = Off at this point.

    Could be a host issue I don’t know.

    internal paths

    PHP is very good in leaking the internal paths of your system in case of errors. You can find out exactly where the blog is hosted (/var/www, /home/user, etc) and you can 99% of the time guess the user name used for administration.

    Moderator Ipstenu (Mika Epstein)

    (@ipstenu)

    🏳️‍🌈 Advisor and Activist

    13 years, 9 months ago

    Probably not a WordPress thing but a PHP one, yeah.

    Hmmm. If you can’t get at php.ini I think you can put error_reporting(0); somewhere in your code, but I don’t know where to cover all of WordPress.

    I’d ask my host to turn it off in the php.ini if you’re that worried.

    Thread Starter steve-d

    (@steve-d)

    13 years, 9 months ago

    I’d ask my host to turn it off in the php.ini

    They just upgraded php could be it. My other option might be an htaccess tweak of some kind.

    Thread Starter steve-d

    (@steve-d)

    13 years, 9 months ago

    It was being caused by the WordPress Default Theme.

    Thread Starter steve-d

    (@steve-d)

    13 years, 9 months ago

    Let me clarify it was the original default theme not Twenty Ten that somehow produced this anomaly. My fix was simply to delete the old default theme. Which I do not use anyway.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘WordPress internal path vulnerability’ is closed to new replies.