-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Glafkos Charalambous wrote: > Hello, >
Hi Glafkos, > > > That definitely can be fixed easily with two lines of code but is still > something that should have been prevented at earlier stages of "plugin" > development > > > > "if (!empty($_SERVER['SCRIPT_FILENAME']) && 'akismet.php' == > basename($_SERVER['SCRIPT_FILENAME'])) > > die ('Please do not load this page directly');" > > It is a simple and good fix. > > From the server side you can set PHP "warning" and "errors" OFF either > through php.ini or PHP page itself but sometimes that's not an option Yep, if you disable the "display_errors" option on php.ini is not a good option. Setting display_erros to Off hides the problem but not fix the problem. > > > > Regards, cheers > > Glafkos Charalambous > > > > > > *From:* full-disclosure-boun...@lists.grok.org.uk > [mailto:full-disclosure-boun...@lists.grok.org.uk] *On Behalf Of *majinboo > *Sent:* Monday, September 28, 2009 11:12 PM > *To:* Fernando A. Lagos B. > *Cc:* full-disclosure@lists.grok.org.uk > *Subject:* Re: [Full-disclosure] Full Path Disclosure in most wordpress' > plugins [?] > > > > Hello, > > this kind of "vulnerabilities" exists whenever a PHP scripts issue a > fatal error on a poorly configured server. PHP should log errors in a > local file and not on the client screen. With this configuration, you > will not see a full path disclosure in each uncatched PHP exception. > IMHO the security weakness is on the php.ini and not on the web application. > > cheers, > > majinboo > > 2009/9/28 Fernando A. Lagos B. <ferna...@zerial.org > <mailto:ferna...@zerial.org>> > > Exists an call to add_action() without validate with function_exists(). > When I run the php script directly, I get the full path of wp installation. > > Example: > [+] http://www.marco2010.cl/wp-content/plugins/akismet/akismet.php > [+] http://www.marco2010.cl/wp-content/plugins/hello.php > > > Is a bug? Is a feature? > > More details posted in my blog: > http://blog.zerial.org/seguridad/vulnerabilidad-en-la-mayoria-de-los-plugins-para-wordpress/ > (spanish) > > > cheers. - -- Fernando A. Lagos Berardi - Zerial Desarrollador y Programador Web Seguridad Informatica Linux User #382319 Blog: http://blog.zerial.org Skype: erzerial Jabber: zer...@jabberes.org GTalk && MSN: ferna...@zerial.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkrBNAEACgkQIP17Kywx9JSxUQCaA0cXq74tzk6WA+0MABll30tT d7QAmwXjiqdNkfF28X9gvYyGmkbQcB3o =7r4O -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/