| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <1254241902.5323.14.camel@EMP-D>
Date: Tue, 29 Sep 2009 18:31:42 +0200
From: Loaden <loaden@...malmitprofis.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Full Path Disclosure in
most wordpress' plugins [?]
Hey
at first excuse my bad english. Thats a nice fix. But you need to change
the code for other plugins or files. This code works for all files which
should not be loaded directly:
if (basename($_SERVER['SCRIPT_NAME']) == basename(__FILE__))
exit('Please do not load this page directly');
If your webhoster don't have a configuration panel you can try to
disable errors with this in your index.php:
ini_set('display_errors', 0);
I'am no sure if it works if save mode is activated. Try it or look at
the PHP manual.
Regards
Loaden
On Mo, 2009-09-28 at 23:37 +0300, Glafkos Charalambous wrote:
> Hello,
>
>
>
> That definitely can be fixed easily with two lines of code but is
> still something that should have been prevented at earlier stages of
> "plugin" development
>
>
>
> "if (!empty($_SERVER['SCRIPT_FILENAME']) && 'akismet.php' ==
> basename($_SERVER['SCRIPT_FILENAME']))
>
> die ('Please do not load this page directly');"
>
>
>
> From the server side you can set PHP "warning" and "errors" OFF either
> through php.ini or PHP page itself but sometimes that's not an option
>
>
>
> Regards,
>
> Glafkos Charalambous
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists