Opened 10 years ago
Closed 10 years ago
#30806 closed feature request (invalid)
Security: Full Path Disclosure
Reported by: | smartifahrer | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 4.1 |
Component: | Security | Keywords: | |
Focuses: | Cc: |
Description
On Sergej Müller Website, i found a post about "Full Path Disclosure" (in german) http://cup.wpcoder.de/fpd-vulnerability-wordpress/
On some hostern (1&1) it is not posible or easy to change PHP settings so that error not shown.
Example: http://www.langer-webmedia.de/wp-includes/rss.php
So is you direct access an wordpess PHP-file you get a error message and see the server path.
In Joomla there is a simple solution to prevent this
Fist tey define a constant in files with direct access.
define('_JEXEC', 1);
Then in all other files they check if the constant is defined or die
defined('_JEXEC') or die('Restricted access');
This works fine. This can make Wordpress more secure. Ok, to make this we must add a line of code in all files. But i think its worth.
See the Security FAQ:
Additionally, when you created this ticket: