WordPress.org

Make WordPress Core

Opened 3 years ago

Closed 3 years ago

#18715 closed defect (bug) (wontfix)

Information disclosure issue in update.php

Reported by: joostdevalk Owned by: joostdevalk
Milestone: Priority: normal
Severity: normal Version: 3.3
Component: Security Keywords: has-patch
Focuses: Cc:

Description

/wp-includes/update.php discloses the full path of the WP install, patch to fix that attached.

Attachments (1)

update-patch.diff (424 bytes) - added by joostdevalk 3 years ago.
Patch

Download all attachments as: .zip

Change History (2)

joostdevalk3 years ago

Patch

comment:1 dd323 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to wontfix
  • Status changed from new to closed

The same occurs in most of /wp-includes/*.php and /wp-admin/includes/*.php

However, this is not a security issue, nor is it something that intends on being "fixed" as it's not encountered during "standard usage". If WordPress is used on a production server, error displays should be disabled, and/or direct access to the php files in the above directories disabled.

Note: See TracTickets for help on using tickets.