[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Full Path Disclosure in most wordpress' plugins [?]
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: Re: [Full-disclosure] Full Path Disclosure in most wordpress' plugins [?]
- From: Loaden <loaden@xxxxxxxxxxxxxxxxxxx>
- Date: Tue, 29 Sep 2009 18:31:42 +0200
Hey
at first excuse my bad english. Thats a nice fix. But you need to change
the code for other plugins or files. This code works for all files which
should not be loaded directly:
if (basename($_SERVER['SCRIPT_NAME']) == basename(__FILE__))
exit('Please do not load this page directly');
If your webhoster don't have a configuration panel you can try to
disable errors with this in your index.php:
ini_set('display_errors', 0);
I'am no sure if it works if save mode is activated. Try it or look at
the PHP manual.
Regards
Loaden
On Mo, 2009-09-28 at 23:37 +0300, Glafkos Charalambous wrote:
> Hello,
>
>
>
> That definitely can be fixed easily with two lines of code but is
> still something that should have been prevented at earlier stages of
> "plugin" development
>
>
>
> "if (!empty($_SERVER['SCRIPT_FILENAME']) && 'akismet.php' ==
> basename($_SERVER['SCRIPT_FILENAME']))
>
> die ('Please do not load this page directly');"
>
>
>
> From the server side you can set PHP "warning" and "errors" OFF either
> through php.ini or PHP page itself but sometimes that's not an option
>
>
>
> Regards,
>
> Glafkos Charalambous
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/