Opened 14 years ago
Closed 14 years ago
#19330 closed defect (bug) (wontfix)
Information disclosure in wp-app.php
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Severity: | normal | Version: | 3.2.1 |
| Component: | Security | Keywords: | close 2nd-opinion |
| Focuses: | Cc: |
Description
/wp-app.php discloses the full url to admin-interface if AtomPub is disabled, line 285:
// check to see if AtomPub is enabled
if ( !get_option( 'enable_app' ) )
$this->forbidden( sprintf( __( 'AtomPub services are disabled on this site. An admin user can enable them at %s' ), admin_url('options-writing.php') ) );
Suggested fix: Do not print output of admin_url('options-writing.php')
Change History (5)
#2
@
14 years ago
@Sergey: Not related.
The above /wp-app.php output is not a PHP warning/error.
The output is always visible, printed by sprintf()
#4
@
14 years ago
- Keywords close 2nd-opinion added
I don't think that the link to options-writing.php is not something that anyone couldn't work out anyway? Besides, it's just a URL, and does not disclose full (server) path information.
Also, the Google search query you linked to only turns up sites that have other PHP errors/warnings being generated, and display_errors on - which is just bad server configuration and not a WordPress issue.
Note: See
TracTickets for help on using
tickets.
Related: #17601, #18715