[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <48BE5131-47E7-478D-BE9D-966788D7326B@brg.ch>
Date: Tue, 29 Sep 2009 20:33:14 +0200
From: Peter Bruderer <peter.bruderer@....ch>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Full Path Disclosure in
most wordpress' plugins [?]
The proposed fix is definitely something that helps. But to me it
looks like most people do not care anymore about server settings. As
soon as it is kind of working, it is pushed to the Internet.
Why not avoid these problems completely and follow the recommendations
in php.ini?
; Print out errors (as a part of the output). For production web sites,
; you're strongly encouraged to turn this feature off, and use error
logging
; instead (see below). Keeping display_errors enabled on a production
web site
; may reveal security information to end users, such as file paths on
your Web
; server, your database schema or other information.
;
; possible values for display_errors:
;
; Off - Do not display any errors
; stderr - Display errors to STDERR (affects only CGI/CLI binaries!)
; stdout (On) - Display errors to STDOUT
;
display_errors = Off
; Even when display_errors is on, errors that occur during PHP's startup
; sequence are not displayed. It's strongly recommended to keep
; display_startup_errors off, except for when debugging.
display_startup_errors = Off
; Log errors into a log file (server-specific log, stderr, or
error_log (below))
; As stated above, you're strongly advised to use error logging in
place of
; error displaying on production web sites.
log_errors = On
Now the error message is in the logfile and nothing is displayed in
the browser.
Peter Bruderer
--
Bruderer Research GmbH
CH-8200 Schaffhausen
On 29.09.2009, at 18:31, Loaden wrote:
> Hey
>
> at first excuse my bad english. Thats a nice fix. But you need to
> change
> the code for other plugins or files. This code works for all files
> which
> should not be loaded directly:
>
> if (basename($_SERVER['SCRIPT_NAME']) == basename(__FILE__))
> exit('Please do not load this page directly');
>
> If your webhoster don't have a configuration panel you can try to
> disable errors with this in your index.php:
>
> ini_set('display_errors', 0);
>
> I'am no sure if it works if save mode is activated. Try it or look at
> the PHP manual.
>
> Regards
>
> Loaden
>
> On Mo, 2009-09-28 at 23:37 +0300, Glafkos Charalambous wrote:
>> Hello,
>>
>>
>>
>> That definitely can be fixed easily with two lines of code but is
>> still something that should have been prevented at earlier stages of
>> "plugin" development
>>
>>
>>
>> "if (!empty($_SERVER['SCRIPT_FILENAME']) && 'akismet.php' ==
>> basename($_SERVER['SCRIPT_FILENAME']))
>>
>> die ('Please do not load this page directly');"
>>
>>
>>
>> From the server side you can set PHP "warning" and "errors" OFF
>> either
>> through php.ini or PHP page itself but sometimes that's not an option
>>
>>
>>
>> Regards,
>>
>> Glafkos Charalambous
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists