Make WordPress Core

Opened 6 years ago

Closed 6 years ago

#19330 closed defect (bug) (wontfix)

Information disclosure in wp-app.php

Reported by: Ov3rfly Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.2.1
Component: Security Keywords: close 2nd-opinion
Focuses: Cc:


/wp-app.php discloses the full url to admin-interface if AtomPub is disabled, line 285:

// check to see if AtomPub is enabled
if ( !get_option( 'enable_app' ) )
	$this->forbidden( sprintf( __( 'AtomPub services are disabled on this site.  An admin user can enable them at %s' ), admin_url('options-writing.php') ) );

Suggested fix: Do not print output of admin_url('options-writing.php')

Change History (5)

#2 @Ov3rfly
6 years ago

@Sergey: Not related.

The above /wp-app.php output is not a PHP warning/error.

The output is always visible, printed by sprintf()

#3 @Ov3rfly
6 years ago

Some real life examples of this information disclosure: Google

#4 @solarissmoke
6 years ago

  • Keywords close 2nd-opinion added

I don't think that the link to options-writing.php is not something that anyone couldn't work out anyway? Besides, it's just a URL, and does not disclose full (server) path information.

Also, the Google search query you linked to only turns up sites that have other PHP errors/warnings being generated, and display_errors on - which is just bad server configuration and not a WordPress issue.

#5 @nacin
6 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to wontfix
  • Status changed from new to closed

We don't consider this information disclosure.

Note: See TracTickets for help on using tickets.