Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: CVE Request - Wordpress 3.5 Full-path disclosure vulnerability
From: Giles Coochey <giles () coochey net>
Date: Mon, 21 Jan 2013 11:29:45 +0000

On 21/01/2013 10:59, Henrique Montenegro wrote:
The issue can be seen only when PHP's display_errors is set to On.
I have setup a default installation of wordpress 3.5 to display the issue.
  It can be accessed via the URL: http://blog.gilgalab.com.br/?s[]=1



Wouldn't setting PHP "display_errors" be for development only, the entire point of the directive is to give the developer more information 'in page'.

http://php.net/manual/en/errorfunc.configuration.php#ini.display-errors

Quoting:
"This is a feature to support your development and should never be used on production systems (e.g. systems connected to the internet)."

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]