Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Full Path Disclosure in most wordpress' plugins [?]

From: Peter Bruderer <peter.bruderer () brg ch>
Date: Tue, 29 Sep 2009 20:33:14 +0200
The proposed fix is definitely something that helps. But to me it  
looks like most people do not care anymore about server settings. As  
soon as it is kind of working, it is pushed to the Internet.

Why not avoid these problems completely and follow the recommendations  
in php.ini?

; Print out errors (as a part of the output).  For production web sites,
; you're strongly encouraged to turn this feature off, and use error  
logging
; instead (see below).  Keeping display_errors enabled on a production  
web site
; may reveal security information to end users, such as file paths on  
your Web
; server, your database schema or other information.
;
; possible values for display_errors:
;
; Off        - Do not display any errors
; stderr     - Display errors to STDERR (affects only CGI/CLI binaries!)
; stdout (On) - Display errors to STDOUT
;
display_errors = Off

; Even when display_errors is on, errors that occur during PHP's startup
; sequence are not displayed.  It's strongly recommended to keep
; display_startup_errors off, except for when debugging.
display_startup_errors = Off

; Log errors into a log file (server-specific log, stderr, or  
error_log (below))
; As stated above, you're strongly advised to use error logging in  
place of
; error displaying on production web sites.
log_errors = On


Now the error message is in the logfile and nothing is displayed in  
the browser.


Peter Bruderer
--
   Bruderer Research GmbH
   CH-8200 Schaffhausen





On 29.09.2009, at 18:31, Loaden wrote:


Hey

at first excuse my bad english. Thats a nice fix. But you need to  
change
the code for other plugins or files. This code works for all files  
which
should not be loaded directly:

if (basename($_SERVER['SCRIPT_NAME']) == basename(__FILE__))
      exit('Please do not load this page directly');

If your webhoster don't have a configuration panel you can try to
disable errors with this in your index.php:

ini_set('display_errors', 0);

I'am no sure if it works if save mode is activated. Try it or look at
the PHP manual.

Regards

Loaden

On Mo, 2009-09-28 at 23:37 +0300, Glafkos Charalambous wrote:

Hello,



That definitely can be fixed easily with two lines of code but is
still something that should have been prevented at earlier stages of
"plugin" development



"if (!empty($_SERVER['SCRIPT_FILENAME']) && 'akismet.php' ==
basename($_SERVER['SCRIPT_FILENAME']))

die ('Please do not load this page directly');"



From the server side you can set PHP "warning" and "errors" OFF  
either
through php.ini or PHP page itself but sometimes that's not an option



Regards,

Glafkos Charalambous



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: