[resolved] WordPress internal path vulnerability (7 posts)

  1. Steve D
    Posted 5 years ago #

    This is odd. A scan shows some kind of error, giving away internal path information. This never showed up before and the most recent upgrade was just the Twenty Ten Theme to 1.1

    The internal path anomaly is . . (I used * just to not give out information here.)

    So how do I turn off errors with no php.ini?
    display_errors = Off

    Using WordPress 3.0

  2. A ... scan? What kind of scan? Is this on the front end of your site?

  3. Steve D
    Posted 5 years ago #

    A ... scan?

    An external vendor scan. Basically the main question is how to set display_errors = Off at this point.

    Could be a host issue I don't know.

    internal paths

    PHP is very good in leaking the internal paths of your system in case of errors. You can find out exactly where the blog is hosted (/var/www, /home/user, etc) and you can 99% of the time guess the user name used for administration.

  4. Probably not a WordPress thing but a PHP one, yeah.

    Hmmm. If you can't get at php.ini I think you can put error_reporting(0); somewhere in your code, but I don't know where to cover all of WordPress.

    I'd ask my host to turn it off in the php.ini if you're that worried.

  5. Steve D
    Posted 5 years ago #

    I'd ask my host to turn it off in the php.ini

    They just upgraded php could be it. My other option might be an htaccess tweak of some kind.

  6. Steve D
    Posted 5 years ago #

    It was being caused by the WordPress Default Theme.

  7. Steve D
    Posted 4 years ago #

    Let me clarify it was the original default theme not Twenty Ten that somehow produced this anomaly. My fix was simply to delete the old default theme. Which I do not use anyway.

Topic Closed

This topic has been closed to new replies.

About this Topic