WordPress.org

Make WordPress Core

Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#38317 closed defect (bug) (wontfix)

Fixing full path disclosure in rss.php

Reported by: damian1989 Owned by:
Milestone: Priority: normal
Severity: minor Version:
Component: Feeds Keywords:
Focuses: Cc:

Description (last modified by ocean90)

Theres a small bug called "full path disclosure" which certainly is not dangerous but still not nice.

How to trigger:
Call the wp-includes/rss.php directly with your browser

You can see the full path because in this context _deprecated_file is not defined. Works only when your server displays errors otherwise you just get an error 500.

Possible/easy fix:

Make sure it is defined ;)

/**
* We dont want a file path disclose vulnerability on certain servers.
*/
if (!function_exists('_deprecated_file')) {
    exit();
}

Change History (7)

#1 @ocean90
4 years ago

  • Description modified (diff)
  • Keywords rss fpd removed
  • Milestone Awaiting Review deleted
  • Resolution set to wontfix
  • Status changed from new to closed
  • Version 4.6.1 deleted

Hello @damian1989, welcome to Trac!

The same occurs in most of /wp-includes/*.php and /wp-admin/includes/*.php

However, this is not a security issue, nor is it something that intends on being "fixed" as it's not encountered during "standard usage". If WordPress is used on a production server, error displays should be disabled, and/or direct access to the php files in the above directories disabled.

Additionally, when you created this ticket:

Do not report potential security vulnerabilities here. See the Security FAQ and contact security@wordpress.org.

#2 @mark-k
4 years ago

  • Resolution wontfix deleted
  • Status changed from closed to reopened

@ocean90 , yes this is nothing security related, but it is a bug. PHP files should either do output or do only function/class definitions. Since rss.php here was not designed to do output, it shoud just not do any output when it is parsed, like all other core file that contain just function definitions and shoult ouput empty page if accessed directly, no other output, no side effect.

If I run with wp_debug off, I will still get an error in my logs because obviously It is a php error but the point of having wp_debug off, is to not get them.

this call need to be protected by checking that the function exist od WP_DEBUG is set.

for output generating files (wp-includes\theme-compat\footer.php) it is actually worse because this check breaks backward compatibility which the deprecation notices are not supposed to do. yeh, no one should have a reason to remotely load them, but if they do a "function not existing" type of error should not be output before the HTML, again especially when wp_debug is off.

looking further along this lines of reasoning wp-includes-embed is double offender as it will give an error also on the include it does when accessed directly. hmmm same problem with the two admin files that use this deprecation function

#3 @mark-k
4 years ago

lol should have looked better rss.php is designed to do an output so the second part applies to him, you get error on the function and then on the ABSPATH not being defined

or a,m i looking again at the wrong place... sorry for the spam

Last edited 4 years ago by mark-k (previous) (diff)

#4 @ocean90
4 years ago

  • Resolution set to wontfix
  • Status changed from reopened to closed

Re-closing as wontfix for the reasons I mentioned in my comment. Please see also some of the related/duplicate tickets: #18715, #30103, #30806, #17737, #31663, #35835, #10367.

#5 @mawais999
4 years ago

  • Resolution wontfix deleted
  • Status changed from closed to reopened

I am trying but my problem is not solving. When I place code in .htaccess I get 500 internal server error on my homepage. I don't understand how to solve this.

#6 @ocean90
4 years ago

  • Resolution set to wontfix
  • Status changed from reopened to closed

@mawais999 Please try the support forums at ​http://wordpress.org/support/ for help and troubleshooting your issue.

#7 @mawais999
4 years ago

oky bro thanks for your reply

Note: See TracTickets for help on using tickets.