full path disclosure: security problem

The security problem is that you can see the whole path structure where your wordpress is installed. For example with the website of macmanx:
Go to: https://www.macmanx.com/wordpress/wp-content/themes/default/index.php

and you get:
Fatal error: Call to undefined function: get_header() in /home/macmanxc/public_html/wordpress/wp-content/themes/default/index.php on line 1

Now you have the full path of the installation on the server, also known as Full Path Disclosure, but apparantly no one has ever heard of that here before.

I just want to help making things safer, no problem for me. I don’t use WordPress.

.

Dextro: no, we’ve heard of it… it’s just something that should be turned off in the PHP install. If your host lets you throw out errors to the browser, your host is doing you a disservice.

If you remain unretractable in your contention that a sysadmin issue just *has* to be taken care of by WordPress, please file a bug: https://trac.www.remarpro.com

As for themes and plugins, you raise an interesting issue—it can’t be too hard to just lead wp include them and not execute upon a GET request by the browser.

And to anyone reading this who is worried, I would go back to the one topic about security you should not ignore: Your Password.

That is your weakest link.
Not server stuff, not php code, not exploits or XSS.

Use a decent password, and do not think it up yourself:
https://www.anypassword.com/
It’s free, Use it.

Dextro: Perhaps I’m daft on this issue, but how is that comprimising data? Most home paths like that can be guessed — especially on shared hosting like <i>most</i> people have.

Aside from being an ugly error message, what paths does this lead or potential hacker down? Unless the hacker has an account on your shared server, and the server isn’t jailrooted (or whatever that technique is called) then I’m not aware of how this comes as useful information.

Enlighten me (us) ?

This solved by including an empty index.html in empty dirs, or dies where there isnt already something that would be called by defualt. That IS something that MOST seriouus software developers already do

whoami: are you saying wordpress isn’t serious software?

Quote taken on full path disclosure:

Most PHP error/warning/notice msg can reveal physical path. But path disclosure does nothing unless you intend to gain root access to target account, e.g. FTP access through anonymous FTP vulnerabilities.

They would have to find another vulnerability on the box for the full path disclosure to be of any use to them.

Other than that, a google for “full path disclosure” just returns a ton of bugs in php-nuke. All multiple-set bugs are a high risk … bug and a low risk full path disclosure.

On another note, why not just add:
php_flag display_errors off to the .htaccess and you won’t show the paths for anymore errors. Who cares what plugins you have installed?

`php_flag display_errors off to the .htaccess and you won’t show the paths for anymore errors. Who cares what plugins you have installed?’

1. because not everyone can or wants to do that?

2
lots of people care.
lots of people are nosy.
lots, in fact most of your userbases’s login names are IN FACT revealed in that aforementioned and semi-dismissed directory traversal ‘issue’. Some ppl may even have that as their root MySQL login name. Guess what? They pay for hosting — they cant change it just because you decided an empty index.html was too tough for you to include.

I can rattle off atleast a handful of web based apps that provide a simple damn index.html in those dirs that they ALREADY know need them.

Why does it seem that the very minute anyone brings up what might be a very small thing to do, people get so damn defensive?

Its such a simple thing to do, I dont see why you dont say, “gee ya know, yeah thats a good idea, we forgot that, we overlooked that, we whatever.. good job, thanks for that”, and let it go, instead of passing off some damn error blocking code thing for ppl; to put into their .htacccess.

How ‘about putting that in your docs:

Some pages of your admin area may be subject to either directory traversal errors (yes I submitted the bug about it) but we decided that YOU should have to add a line to your .htaccess squelching errors because we are too damn arrogant OR lazy OR bullheaded to admit we overl0ooked it”

I certainly hope you never intend on this turning into a commercial endeavor. Cuz your customer care is really starting to suck. I have to tell you too, that you can delete or moderate disparaging posts all day long — as your userbase grows the complaints are going to grow along with it. You can either address them or not I guess, in the end the fallout will be wordpress’ problem.

the last time I checked this was made by humans, right, or did you all pass over into diety stutus?

On another note, why not just add:
php_flag display_errors off to the .htaccess …
That’s the biggest problem with the so-called “inner circle” of WP people. You, guys, seem to ha have no idea what the real world of the average user looks like. The average joe (and BTW you are proudly boasting about their numbers in the download counter!) has no programming knowledge, doesn’t know what the .htaccess file is, even if he has one created by WP for permalinks still doesn’t know how to edit it, he is blogging from a freaking windoz machine and in the best case scenario is able to ftp the files. That’s it.
Any fancy advice about php code, telnet, command lines and other BS (so often seen around) will not help WP to become as popular as it could be. It is time to start to think about install, docs and everything for the average win pc population. Or if the target group for “marketing” is different – say so on the first page of WP.

You can either address them or not I guess, in the end the fallout will be wordpress’ problem.

the last time I checked this was made by humans, right, or did you all pass over into diety stutus?

So, wait, which part is going to be the downfall of WordPress? Is it the fact that WP devs are — apparently– gods, or this whole “full path disclosure” thing?

Wow, this thread got outta control, but at least you’re making it interesting to read!

On one host I have, you cannot see a directory listing (of any directory without an index )as they have disabled it.
On my main host, you can – this thread prompted me to check – so I have implemented the .htaccess across the domain. I have NOT done this because of WordPress as that is easily solved – as whooami says – by including a simple index file in a few directories, or because of any PATH info. I maintain that passwords are the biggest risk.

I’ve done it because image galleries and other directories not related to WP can be ‘looked into’ if the option is not disallowed and while I’ve nothing to hide, I can do without some jackass eating bandwidth by downloading everything. I can think of half a dozen bloggers who if I can see their image listings I could chew their BW allocation.
So yes, there may well be a risk (I defer to the people who know more) but equally there are very good reasons for not allowing this anyway.

chuyskywalker,

I used the word ‘fallout’ not ‘downfall’. They have the same amount of syllables but are different words and have different meanings.

Whooami, please calm down and come back later. Your concern has been noted.