oss-sec mailing list archives
Re: CVE Request - Wordpress 3.5 Full-path disclosure vulnerability
From: Giles Coochey <giles () coochey net>
Date: Mon, 21 Jan 2013 11:29:45 +0000
On 21/01/2013 10:59, Henrique Montenegro wrote:
Wouldn't setting PHP "display_errors" be for development only, the entire point of the directive is to give the developer more information 'in page'.The issue can be seen only when PHP's display_errors is set to On. I have setup a default installation of wordpress 3.5 to display the issue. It can be accessed via the URL: http://blog.gilgalab.com.br/?s[]=1
http://php.net/manual/en/errorfunc.configuration.php#ini.display-errors Quoting:"This is a feature to support your development and should never be used on production systems (e.g. systems connected to the internet)."
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- CVE Request - Wordpress 3.5 Full-path disclosure vulnerability Henrique (Jan 20)
- Re: CVE Request - Wordpress 3.5 Full-path disclosure vulnerability Kurt Seifried (Jan 20)
- Re: CVE Request - Wordpress 3.5 Full-path disclosure vulnerability Agostino Sarubbo (Jan 21)
- Re: CVE Request - Wordpress 3.5 Full-path disclosure vulnerability Henrique Montenegro (Jan 21)
- Re: CVE Request - Wordpress 3.5 Full-path disclosure vulnerability Giles Coochey (Jan 21)
- Re: CVE Request - Wordpress 3.5 Full-path disclosure vulnerability Henri Salo (Jan 21)
- Re: CVE Request - Wordpress 3.5 Full-path disclosure vulnerability Henrique Montenegro (Jan 21)
- Re: CVE Request - Wordpress 3.5 Full-path disclosure vulnerability Kurt Seifried (Jan 21)
- Whats worth a CVE? Scott Herbert (Jan 21)
- Re: Whats worth a CVE? Eitan Adler (Jan 21)
- Re: Whats worth a CVE? Kurt Seifried (Jan 21)
- Re: CVE Request - Wordpress 3.5 Full-path disclosure vulnerability Agostino Sarubbo (Jan 21)
- Re: CVE Request - Wordpress 3.5 Full-path disclosure vulnerability Kurt Seifried (Jan 20)
- Re: CVE Request - Wordpress 3.5 Full-path disclosure vulnerability Milan Berger (Jan 21)