Re: [Full-disclosure] Full Path Disclosure in most wordpress' plugins [?]

The proposed fix is definitely something that helps. But to me it
looks like most people do not care anymore about server settings. As
soon as it is kind of working, it is pushed to the Internet.

Why not avoid these problems completely and follow the recommendations
in php.ini?

; Print out errors (as a part of the output). For production web sites,
; you're strongly encouraged to turn this feature off, and use error
logging
; instead (see below). Keeping display_errors enabled on a production
web site
; may reveal security information to end users, such as file paths on
your Web
; server, your database schema or other information.
;
; possible values for display_errors:
;
; Off - Do not display any errors
; stderr - Display errors to STDERR (affects only CGI/CLI binaries!)
; stdout (On) - Display errors to STDOUT
;
display_errors = Off

; Even when display_errors is on, errors that occur during PHP's startup
; sequence are not displayed. It's strongly recommended to keep
; display_startup_errors off, except for when debugging.
display_startup_errors = Off

; Log errors into a log file (server-specific log, stderr, or
error_log (below))
; As stated above, you're strongly advised to use error logging in
place of
; error displaying on production web sites.
log_errors = On


Now the error message is in the logfile and nothing is displayed in
the browser.


Peter Bruderer
--
Bruderer Research GmbH
CH-8200 Schaffhausen





On 29.09.2009, at 18:31, Loaden wrote:

Hey

at first excuse my bad english. Thats a nice fix. But you need to
change
the code for other plugins or files. This code works for all files
which
should not be loaded directly:

if (basename($_SERVER['SCRIPT_NAME']) == basename(__FILE__))
exit('Please do not load this page directly');

If your webhoster don't have a configuration panel you can try to
disable errors with this in your index.php:

ini_set('display_errors', 0);

I'am no sure if it works if save mode is activated. Try it or look at
the PHP manual.

Regards

Loaden

On Mo, 2009-09-28 at 23:37 +0300, Glafkos Charalambous wrote:
Hello,



That definitely can be fixed easily with two lines of code but is
still something that should have been prevented at earlier stages of
"plugin" development



"if (!empty($_SERVER['SCRIPT_FILENAME']) && 'akismet.php' ==
basename($_SERVER['SCRIPT_FILENAME']))

die ('Please do not load this page directly');"



From the server side you can set PHP "warning" and "errors" OFF
either
through php.ini or PHP page itself but sometimes that's not an option



Regards,

Glafkos Charalambous


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages

  • Re: HELP!! Companyweb, Monitoring, etc. not working
    ... In addition, I am unable to get the companyweb or the SharePoint Central Administration page or any of the other sites. ... They also display page cannot be displayed with Cannot find server or DNS Error. ... I have Trend installed on this client server and the web page for it will not come up. ... The Companyweb and Default Web sites are running and are configured properly with host header values for the company web but nothing in the Default Web site as well as the correct ASP version. ...
    (microsoft.public.windows.server.sbs)
  • Re: Whats happened to Microsoft Support?
    ... Many Web sites assume that everyone has enormous capacity, ... server, ... Knowledge base etc -if I click on any of them I get a completely ... and a 'cannot display this page' message in ie7. ...
    (microsoft.public.exchange.admin)
  • Re: LANDREGISTERY WEB SITE
    ... Any errors logged on the server or workstation? ... Can you post the url of one of the sites that does not display? ... >I have a small buisiness 2000 server all web sites seem to work ok except a ... > ISA problem ...
    (microsoft.public.backoffice.smallbiz2000)
  • RE: MySQL/PHPMyAdmin on FC3 Connection Problem
    ... // You can disable a server config entry by setting host to ''. ... MySQL server ... MySQL control user settings ... table to describe the display fields ...
    (Fedora)
  • Please check my resume for any mistakes and syntacsis errors
    ... 1997, German language courses, Goethe Institut. ... Scripts, stored procedures, triggers and views using MS SQL Server ... Created and supported web sites navigation structure and contents. ... software including Seagate Backup Exec and Windows build in backup. ...
    (alt.usage.english)
Quantcast