Opened 6 years ago
Closed 6 years ago
#44663 closed defect (bug) (duplicate)
Disallow direct access to wp-includes php files
Reported by: | lucasbustamante | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 4.9.7 |
Component: | General | Keywords: | |
Focuses: | Cc: |
Description
Running WP Scan on my website, I saw a full path disclosure vulnerability under wp-includes/rss-functions.php
Error code:
<?php Call to undefined function _deprecated_file() in /home/mydomain/public_html/wp-includes/rss-functions.php on line 8
This is it's source code:
<?php <?php /** * Deprecated. Use rss.php instead. * * @package WordPress */ _deprecated_file( basename(__FILE__), '2.1.0', WPINC . '/rss.php' ); require_once( ABSPATH . WPINC . '/rss.php' );
A lot of files under wp-includes look similar to this one.
I wonder if it would make sense to prevent direct access to these files, since it uses _deprecated_file() function, which is loaded with WordPress.
<?php if ( ! defined( 'ABSPATH' ) ) exit;
I have turned off display_errors on my website, but still, makes sense to me. Other people are having this issue, and many others don't even know what WP Scan is and are vulnerable without even knowing.
https://wordpress.stackexchange.com/questions/203123/full-path-disclosure-on-rss-functions-php
Change History (1)
Note: See
TracTickets for help on using
tickets.
Hey there
This has come up many times before, for example in #36177 and #30806.
Path disclosure is a server configuration problem. Never enable
display_errors
on a production site. See Security FAQ.