lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <003301ca4144$bfd83680$3f88a380$@org.uk>
Date: Tue, 29 Sep 2009 23:37:56 +0300
From: "Glafkos Charalambous" <info@...osec.org.uk>
To: "'Peter Bruderer'" <peter.bruderer@....ch>,
	<full-disclosure@...ts.grok.org.uk>
Subject: Re: Full Path Disclosure
	in	most	wordpress'	plugins [?]

Hello,

Yes at some point you are right but this is not an option most of the times,
especially when you are on a shared hosting environment.

So either the developers need to secure their plugins or we do it ourselves
as this is still an issue for everybody using Wordpress Plugins.

Glafkos

-----Original Message-----
From: full-disclosure-bounces@...ts.grok.org.uk
[mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Peter
Bruderer
Sent: Tuesday, September 29, 2009 9:33 PM
To: full-disclosure@...ts.grok.org.uk
Subject: Re: [Full-disclosure] Full Path Disclosure in most wordpress'
plugins [?]

The proposed fix is definitely something that helps. But to me it  
looks like most people do not care anymore about server settings. As  
soon as it is kind of working, it is pushed to the Internet.

Why not avoid these problems completely and follow the recommendations  
in php.ini?

; Print out errors (as a part of the output).  For production web sites,
; you're strongly encouraged to turn this feature off, and use error  
logging
; instead (see below).  Keeping display_errors enabled on a production  
web site
; may reveal security information to end users, such as file paths on  
your Web
; server, your database schema or other information.
;
; possible values for display_errors:
;
; Off        - Do not display any errors
; stderr     - Display errors to STDERR (affects only CGI/CLI binaries!)
; stdout (On) - Display errors to STDOUT
;
display_errors = Off

; Even when display_errors is on, errors that occur during PHP's startup
; sequence are not displayed.  It's strongly recommended to keep
; display_startup_errors off, except for when debugging.
display_startup_errors = Off

; Log errors into a log file (server-specific log, stderr, or  
error_log (below))
; As stated above, you're strongly advised to use error logging in  
place of
; error displaying on production web sites.
log_errors = On


Now the error message is in the logfile and nothing is displayed in  
the browser.


Peter Bruderer
--
   Bruderer Research GmbH
   CH-8200 Schaffhausen





On 29.09.2009, at 18:31, Loaden wrote:

> Hey
>
> at first excuse my bad english. Thats a nice fix. But you need to  
> change
> the code for other plugins or files. This code works for all files  
> which
> should not be loaded directly:
>
> if (basename($_SERVER['SCRIPT_NAME']) == basename(__FILE__))
> 	exit('Please do not load this page directly');
>
> If your webhoster don't have a configuration panel you can try to
> disable errors with this in your index.php:
>
> ini_set('display_errors', 0);
>
> I'am no sure if it works if save mode is activated. Try it or look at
> the PHP manual.
>
> Regards
>
> Loaden
>
> On Mo, 2009-09-28 at 23:37 +0300, Glafkos Charalambous wrote:
>> Hello,
>>
>>
>>
>> That definitely can be fixed easily with two lines of code but is
>> still something that should have been prevented at earlier stages of
>> "plugin" development
>>
>>
>>
>> "if (!empty($_SERVER['SCRIPT_FILENAME']) && 'akismet.php' ==
>> basename($_SERVER['SCRIPT_FILENAME']))
>>
>> die ('Please do not load this page directly');"
>>
>>
>>
>> From the server side you can set PHP "warning" and "errors" OFF  
>> either
>> through php.ini or PHP page itself but sometimes that's not an option
>>
>>
>>
>> Regards,
>>
>> Glafkos Charalambous
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ