oss-sec mailing list archives
Re: CVE Request - Wordpress 3.5 Full-path disclosure vulnerability
From: Henrique Montenegro <typoon () gmail com>
Date: Mon, 21 Jan 2013 12:03:42 -0200
Yes, I also agree that wordpress should fix this and I understand that this is a low-priority mostly configuration related issue. I was just not sure if this was eligible for a CVE or not. I'll keep this reference in mind for future times. Thanks for the help! Henrique On Mon, Jan 21, 2013 at 12:00 PM, Henri Salo <henri () nerv fi> wrote:
On Mon, Jan 21, 2013 at 11:29:45AM +0000, Giles Coochey wrote:Wouldn't setting PHP "display_errors" be for development only, the entire point of the directive is to give the developer more information 'in page'. http://php.net/manual/en/errorfunc.configuration.php#ini.display-errors Quoting: "This is a feature to support your development and should never be used on production systems (e.g. systems connected to the internet)."You are correct. No CVE, but WordPress should still fix this. Please note that some configuration errors still get CVE, but this is not one of those in my opinion/knowledge. Path disclosures are usually low-priority issues. --- Henri Salo
Current thread:
- CVE Request - Wordpress 3.5 Full-path disclosure vulnerability Henrique (Jan 20)
- Re: CVE Request - Wordpress 3.5 Full-path disclosure vulnerability Kurt Seifried (Jan 20)
- Re: CVE Request - Wordpress 3.5 Full-path disclosure vulnerability Agostino Sarubbo (Jan 21)
- Re: CVE Request - Wordpress 3.5 Full-path disclosure vulnerability Henrique Montenegro (Jan 21)
- Re: CVE Request - Wordpress 3.5 Full-path disclosure vulnerability Giles Coochey (Jan 21)
- Re: CVE Request - Wordpress 3.5 Full-path disclosure vulnerability Henri Salo (Jan 21)
- Re: CVE Request - Wordpress 3.5 Full-path disclosure vulnerability Henrique Montenegro (Jan 21)
- Re: CVE Request - Wordpress 3.5 Full-path disclosure vulnerability Kurt Seifried (Jan 21)
- Whats worth a CVE? Scott Herbert (Jan 21)
- Re: Whats worth a CVE? Eitan Adler (Jan 21)
- Re: Whats worth a CVE? Kurt Seifried (Jan 21)
- Re: CVE Request - Wordpress 3.5 Full-path disclosure vulnerability Agostino Sarubbo (Jan 21)
- Re: CVE Request - Wordpress 3.5 Full-path disclosure vulnerability Kurt Seifried (Jan 20)
- Re: CVE Request - Wordpress 3.5 Full-path disclosure vulnerability Milan Berger (Jan 21)