Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Full Path Disclosure in most wordpress' plugins [?]

From: Loaden <loaden () einmalmitprofis com>
Date: Tue, 29 Sep 2009 18:31:42 +0200
Hey

at first excuse my bad english. Thats a nice fix. But you need to change
the code for other plugins or files. This code works for all files which
should not be loaded directly:

if (basename($_SERVER['SCRIPT_NAME']) == basename(__FILE__))
        exit('Please do not load this page directly');

If your webhoster don't have a configuration panel you can try to
disable errors with this in your index.php:

ini_set('display_errors', 0);

I'am no sure if it works if save mode is activated. Try it or look at
the PHP manual.

Regards

Loaden

On Mo, 2009-09-28 at 23:37 +0300, Glafkos Charalambous wrote:

Hello,

 

That definitely can be fixed easily with two lines of code but is
still something that should have been prevented at earlier stages of
"plugin" development

 

"if (!empty($_SERVER['SCRIPT_FILENAME']) && 'akismet.php' ==
basename($_SERVER['SCRIPT_FILENAME']))

 die ('Please do not load this page directly');"

 

From the server side you can set PHP "warning" and "errors" OFF either
through php.ini or PHP page itself but sometimes that's not an option

 

Regards,

Glafkos Charalambous



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: