WordPress.org

Make WordPress Core

#44663 closed defect (bug) (duplicate)

Disallow direct access to wp-includes php files

Reported by: lucasbustamante Owned by:
Milestone: Priority: normal
Severity: normal Version: 4.9.7
Component: General Keywords:
Focuses: Cc:

Description

Running WP Scan on my website, I saw a full path disclosure vulnerability under wp-includes/rss-functions.php

Error code:

<?php
Call to undefined function _deprecated_file() in /home/mydomain/public_html/wp-includes/rss-functions.php on line 8

This is it's source code:

<?php
<?php
/**
 * Deprecated. Use rss.php instead.
 *
 * @package WordPress
 */
_deprecated_file( basename(__FILE__), '2.1.0', WPINC . '/rss.php' );
require_once( ABSPATH . WPINC . '/rss.php' );

A lot of files under wp-includes look similar to this one.

I wonder if it would make sense to prevent direct access to these files, since it uses _deprecated_file() function, which is loaded with WordPress.

<?php
if ( ! defined( 'ABSPATH' ) ) exit;

I have turned off display_errors on my website, but still, makes sense to me. Other people are having this issue, and many others don't even know what WP Scan is and are vulnerable without even knowing.

https://wordpress.stackexchange.com/questions/203123/full-path-disclosure-on-rss-functions-php

Change History (1)

#1 @swissspidy
14 months ago

  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed

Hey there

This has come up many times before, for example in #36177 and #30806.

Path disclosure is a server configuration problem. Never enable display_errors on a production site. See Security FAQ.

Note: See TracTickets for help on using tickets.