#38317 closed defect (bug) (wontfix)
Fixing full path disclosure in rss.php
Reported by: | damian1989 | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | minor | Version: | |
Component: | Feeds | Keywords: | |
Focuses: | Cc: |
Description (last modified by )
Theres a small bug called "full path disclosure" which certainly is not dangerous but still not nice.
How to trigger:
Call the wp-includes/rss.php directly with your browser
You can see the full path because in this context _deprecated_file is not defined. Works only when your server displays errors otherwise you just get an error 500.
Possible/easy fix:
Make sure it is defined ;)
/** * We dont want a file path disclose vulnerability on certain servers. */ if (!function_exists('_deprecated_file')) { exit(); }
Change History (7)
#1
@
8 years ago
- Description modified (diff)
- Keywords rss fpd removed
- Milestone Awaiting Review deleted
- Resolution set to wontfix
- Status changed from new to closed
- Version 4.6.1 deleted
#2
@
8 years ago
- Resolution wontfix deleted
- Status changed from closed to reopened
@ocean90 , yes this is nothing security related, but it is a bug. PHP files should either do output or do only function/class definitions. Since rss.php here was not designed to do output, it shoud just not do any output when it is parsed, like all other core file that contain just function definitions and shoult ouput empty page if accessed directly, no other output, no side effect.
If I run with wp_debug off, I will still get an error in my logs because obviously It is a php error but the point of having wp_debug off, is to not get them.
this call need to be protected by checking that the function exist od WP_DEBUG is set.
for output generating files (wp-includes\theme-compat\footer.php) it is actually worse because this check breaks backward compatibility which the deprecation notices are not supposed to do. yeh, no one should have a reason to remotely load them, but if they do a "function not existing" type of error should not be output before the HTML, again especially when wp_debug is off.
looking further along this lines of reasoning wp-includes-embed is double offender as it will give an error also on the include it does when accessed directly. hmmm same problem with the two admin files that use this deprecation function
#3
@
8 years ago
lol should have looked better rss.php is designed to do an output so the second part applies to him, you get error on the function and then on the ABSPATH not being defined
or a,m i looking again at the wrong place... sorry for the spam
#5
@
8 years ago
- Resolution wontfix deleted
- Status changed from closed to reopened
I am trying but my problem is not solving. When I place code in .htaccess I get 500 internal server error on my homepage. I don't understand how to solve this.
#6
@
8 years ago
- Resolution set to wontfix
- Status changed from reopened to closed
@mawais999 Please try the support forums at http://wordpress.org/support/ for help and troubleshooting your issue.
Hello @damian1989, welcome to Trac!
The same occurs in most of /wp-includes/*.php and /wp-admin/includes/*.php
However, this is not a security issue, nor is it something that intends on being "fixed" as it's not encountered during "standard usage". If WordPress is used on a production server, error displays should be disabled, and/or direct access to the php files in the above directories disabled.
Additionally, when you created this ticket: