[wp-trac] Re: [WordPress Trac] #9185: cordon off all non-entry
points from the public
WordPress Trac
wp-trac at lists.automattic.com
Fri Feb 20 04:49:50 GMT 2009
#9185: cordon off all non-entry points from the public
-----------------------------+----------------------------------------------
Reporter: jidanni | Owner: ryan
Type: feature request | Status: new
Priority: normal | Milestone: 2.9
Component: Security | Version: 2.7
Severity: normal | Keywords: 2nd-opinion dev-feedback
-----------------------------+----------------------------------------------
Changes (by DD32):
* keywords: => 2nd-opinion dev-feedback
* type: defect (bug) => feature request
* milestone: 2.8 => 2.9
Comment:
Moving to 2.9 due to no patch, and is a feature request.
The worst that will ever happen is a fatal PHP error is shown, allowing a
end-user to find out the path in which WordPress is installed, Many have
argued in the past that this is a security issue, and allows people to
easier exploit a WordPress installation, But the fact is, They'll do it
one way or another anyway.
Due to the way WordPress is structured, It will always be impossible for
code execution, or unintended permanent changes to be made to WordPress,
The database, Files, or the server by directly accessing any non-entry
point, If it was wanted, It could be set to redirect users back to the
front page in the even that they do come across the page, But its not
exactly a needed requirement (or urgent item).
Something such as this could be added to every page:
{{{
if ( ! defined('ABSPATH') ) {
header('Location: ../'); //Despite the fact you should only use absolute
url's here..
die('Bugger off');
}
}}}
--
Ticket URL: <http://core.trac.wordpress.org/ticket/9185#comment:1>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list