WordPress.org

Make WordPress Core

Opened 5 years ago

Closed 5 years ago

#13046 closed defect (bug) (worksforme)

System Path Disclosure

Reported by: lostsnow Owned by:
Milestone: Priority: normal
Severity: normal Version: 2.9.2
Component: Themes Keywords:
Focuses: Cc:

Description

GET /wp-content/themes/default/ or
GET /wp-content/themes/default/footer.php etc.

then I'll see the system path like:

Fatal error: Call to undefined function get_header() in /home/lostsnow/www/lsproc/blog/wp-content/themes/default/index.php  on line 7

Change History (1)

comment:1 @nacin5 years ago

  • Milestone Unassigned deleted
  • Priority changed from highest omg bbq to normal
  • Resolution set to worksforme
  • Severity changed from critical to normal
  • Status changed from new to closed

This is a "vulnerability" ultimately rooted in display_errors = 1.

Courtesy of the PHP manual:

Note: This is a feature to support your development and should never be used on production systems (e.g. systems connected to the internet).

Note: See TracTickets for help on using tickets.