[wp-hackers] FW: [BugTraq] Path Disclosure - Wordpress 2.1.2

Aaron Brazell abrazell at b5media.com
Mon Mar 26 23:42:31 GMT 2007


I saw this this morning on Bugtraq. I don't feel that this is a bug  
of WordPress. The cause of the error may be a bug, but the fact that  
the path is displayed is not a flaw of WordPress. It will happen in  
any code on any platform that doesn't have display_errors off in  
php.ini and is not specific to WordPress. Systems folks should be  
addressing the vulnerability as a system configuration error - not  
WordPress.

That said, whatever the error is that caused the error display may  
have to be addressed.
--
Aaron Brazell
Technology Manager, b5media
"A Global New Media Company"

web:: www.b5media.com, www.technosailor.com
phone:: 410-608-6620
skype:: technosailor


On Mar 26, 2007, at 7:18 PM, Ross M. W. Bennetts wrote:

> -----Original Message-----
> From: lj at subjectzero.net [mailto:lj at subjectzero.net]
> Sent: Sunday, 25 March 2007 1:51 PM
> To: bugtraq at securityfocus.com
> Subject: Path Disclosure - Wordpress 2.1.2
>
> Product : Wordpress 2.1.2
> Vulnerability Details :
> All the sites running on the latest version of wordpress 2.1.2 are  
> exposed
> to a full path disclosure vulnerability.
>
> Proof of Concept:
> http://www.anysite.com/Path_to_wordpress/wp-includes/vars.php
>
> Error Returned:
>
> Fatal error: Call to undefined function get_option() in
> /home/santoshp/public_html/wp-includes/vars.php on line 92
>
> Location:
> www.indiaesecure.com/exploits.htm/wp212.txt
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers



More information about the wp-hackers mailing list