[wp-hackers] FW: [BugTraq] Path Disclosure - Wordpress 2.1.2

g30rg3_x g30rg3x at gmail.com
Tue Mar 27 02:20:31 GMT 2007


I agree too, i use a little code for my theme and my plugins that
validates the execution from wordpress and not outside him...

if(!defined("ABSPATH"))
{
 	die();
}

Grettings from mexico...
2007/3/26, Robin Adrianse <robin.adr at gmail.com>:
> I agree -- hardly a bug, but it might be a good idea to add some checking to
> see if the user isn't loading the file directly. Perhaps an IN_WP constant?
>
> On 3/26/07, Aaron Brazell <abrazell at b5media.com> wrote:
> >
> > I saw this this morning on Bugtraq. I don't feel that this is a bug
> > of WordPress. The cause of the error may be a bug, but the fact that
> > the path is displayed is not a flaw of WordPress. It will happen in
> > any code on any platform that doesn't have display_errors off in
> > php.ini and is not specific to WordPress. Systems folks should be
> > addressing the vulnerability as a system configuration error - not
> > WordPress.
> >
> > That said, whatever the error is that caused the error display may
> > have to be addressed.
> > --
> > Aaron Brazell
> > Technology Manager, b5media
> > "A Global New Media Company"
> >
> > web:: www.b5media.com, www.technosailor.com
> > phone:: 410-608-6620
> > skype:: technosailor
> >
> >
> > On Mar 26, 2007, at 7:18 PM, Ross M. W. Bennetts wrote:
> >
> > > -----Original Message-----
> > > From: lj at subjectzero.net [mailto:lj at subjectzero.net]
> > > Sent: Sunday, 25 March 2007 1:51 PM
> > > To: bugtraq at securityfocus.com
> > > Subject: Path Disclosure - Wordpress 2.1.2
> > >
> > > Product : Wordpress 2.1.2
> > > Vulnerability Details :
> > > All the sites running on the latest version of wordpress 2.1.2 are
> > > exposed
> > > to a full path disclosure vulnerability.
> > >
> > > Proof of Concept:
> > > http://www.anysite.com/Path_to_wordpress/wp-includes/vars.php
> > >
> > > Error Returned:
> > >
> > > Fatal error: Call to undefined function get_option() in
> > > /home/santoshp/public_html/wp-includes/vars.php on line 92
> > >
> > > Location:
> > > www.indiaesecure.com/exploits.htm/wp212.txt
> > >
> > > _______________________________________________
> > > wp-hackers mailing list
> > > wp-hackers at lists.automattic.com
> > > http://lists.automattic.com/mailman/listinfo/wp-hackers
> >
> > _______________________________________________
> > wp-hackers mailing list
> > wp-hackers at lists.automattic.com
> > http://lists.automattic.com/mailman/listinfo/wp-hackers
> >
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>


-- 
_________________________
             g30rg3_x


More information about the wp-hackers mailing list