All In One Vulnerability: Full Path Disclosure

Hi, I just carried out a test in my own site using the path you mentioned above. I don’t get any error messages. All I see is a blank page with no source code added. So I can say that this fatal error does not occur in my set up. What php version are you currently running in your site? Or is your site hosted in a none Apache server?

Thank you

Hi @livingflame,

Thanks for pointing that one out. This file is missing the standard defined('ABSPATH') or die("Cheatin', huh?!"); check, I’ll add it.

Cheers,
?eslav

@chesio, my apologies. I should have checked the file mentioned in the error above.

Thank you for responding with a solution.

Regards

Hi men!

yoursite.com/wp-content….

Here yoursite.com is only an example. Change it for your site.

I found a partial solution. In public_html / .user.ini (or php.ini depend of your Host)

display_errors = Off

So, you need to try this, and add this solution (or one better) to your Plugin, because this problem: full path disclosure, is present in many plugins (like Wp Super Cache) and Themes.

Other think, please, add to your plugin Two Factor Authentications, but, compatible with BuddyPress LogOut. It is more, make your plugin more with buddypress and bbpress.

Other thing: Thanks for the opt. rename wp-login, but, add for wp-admin too ??

display_errors = Off works for all php full path disclosure.

But, for now, I don’t know if this solution is the best.

• This reply was modified 7 years, 11 months ago by livingflame.

@mbrsolution The error message only appears, if a webserver has display_errors = On configured by default. Your probably doesn’t, so you couldn’t see it. The display_errors option can be altered in several ways, as @livingflame suggested in his posts.

However, this only hides the error, it does not fix it. Even that hiding error prevents full path disclosure, a better solution is to not trigger any error at all. In this case, it is enough to check if some of core WordPress constants is defined. If it is not, it means that php file is likely being accessed directly, so no code in the file should be executed (this way no errors are triggered and there is no full path disclosure). I already submitted a pull request, so this should be hopefully fixed in next version.

display_errors = Off works for all php full path disclosure.

But, for now, I don’t know if this solution is the best.

This is a completely good solution how to prevent full path disclosure, but only when applied by webmaster, not from within a plugin code. Imagine that you install a plugin that turns off error reporting and in the same time conflicts with your other plugins. Suddenly, your site stops working, but you see no errors. Frustrating.

I get it. That’s why I said: It’s a solution, but I do not think it’s the best.

So far it has worked for me. The site works normal.

And, many plugins and themes have this problem of showing the full path, including yours. If a hacker know that… you know…

I hope you can find a better solution.

An off-topic question. How does AIO Scan work? I’ve tried the WordFence Scaner, it’s interesting, it even shows if a file has been changed.

I hope you can find a better solution.

For a plugin, the best way to avoid full path disclosure is to not trigger any PHP errors. The problem you reported will be fixed in next version. I am not aware of any other part of plugin that could trigger a PHP error/warning/notice in the moment, but if you find any other similar issue, we’ll fix it promptly.

An off-topic question. How does AIO Scan work? I’ve tried the WordFence Scaner, it’s interesting, it even shows if a file has been changed.

AIOWPSF file scanner will alert you when file modification date has changed since the last scan. Wordfence file scanner is more powerful, because it can alert you when file contents has changed.

Okey!
But, for the others php of plugins and themes? Full Path Disc. is very extended…

Can I use WordFence and AIOWSF together? I did try, but I get an error. Not login.

But maybe you can update AIOWSF Scaner the next time.

But, for the others php of plugins and themes? Full Path Disc. is very extended…

Well, as I said, if you are concerned with full path disclosure, then just apply display_errors = Off via your php.ini or php_flag display_errors off via your .htaccess (if your server supports it). As a webmaster, you are in control of your website and this is completely valid approach in such case. I also encourage you to report any errors to plugin/theme developers like you did here.

On the other hand, as a plugin developer, I have no authority to decide whether a website should report errors or not – this is completely up to you (a website owner). Therefore, it is just wrong to call error_reporting(0); from within plugin code. As a plugin developer, I only should ensure that my code has no issues that would result in error being reported.

Can I use WordFence and AIOWSF together? I did try, but I get an error. Not login.

I don’t know about any compatibility problems, but having multiple security plugins active at the same time is often problematic. At least make sure you are not using the same features in both.

But maybe you can update AIOWSF Scaner the next time.

Maybe, I already have this function implemented, but it can be quite resource intensive and unfortunately I have no time to tweak it.

Hi there. Well, for now this > display_errors = Off is working.
You know, full path disclosure is a wp vulnerability.

About WordFence… okey… But I prefer one plugin, for now yours.

Please, add Google reCaptcha for Login, Register and whatever form. Your native captcha does not work well in site with BuddyPress.

About the file Scaner, update it! Maybe like WordFence…

Login Attempt list: If you can, put flags. For example: IP Address from Spain, etc.

Wp-admin rename like wp-login.

Includes this (.htaccess):

# Protect Headers
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options nosniff
Header always append X-Frame-Options SAMEORIGIN

And some protection for SQL injections.
For now is all. If I see an errors, I write you! Good Luck!

One more think… About the FireWall.
I dont know why, https://www.wpdoctor.es does not detect this firewall like a Valid WAF.

WAF sections appears in red. Please, try this wpdoctor scaner ??

# Protect wp-includes directory
# Block the include-only files.
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]

# Prevent SQL injections
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

• This reply was modified 7 years, 10 months ago by livingflame.

Hi again, there is a little problem with captcha, if you active it, ok! works one time, after not. I dont know why! And for buddypress does not work. Please check!

Suggestion: For custom captcha, add google recaptcha.

You can put a field to add google recaptcha api keys ?? If it active.