Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: CVE Request - Wordpress 3.5 Full-path disclosure vulnerability
From: Henrique Montenegro <typoon () gmail com>
Date: Mon, 21 Jan 2013 12:03:42 -0200

Yes, I also agree that wordpress should fix this and I understand that this
is a low-priority mostly configuration related issue. I was just not sure
if this was eligible for a CVE or not. I'll keep this reference in mind for
future times.

Thanks for the help!

Henrique


On Mon, Jan 21, 2013 at 12:00 PM, Henri Salo <henri () nerv fi> wrote:

On Mon, Jan 21, 2013 at 11:29:45AM +0000, Giles Coochey wrote:
Wouldn't setting PHP "display_errors" be for development only, the
entire point of the directive is to give the developer more
information 'in page'.

http://php.net/manual/en/errorfunc.configuration.php#ini.display-errors

Quoting:
"This is a feature to support your development and should never be
used on production systems (e.g. systems connected to the
internet)."

You are correct. No CVE, but WordPress should still fix this. Please note
that
some configuration errors still get CVE, but this is not one of those in my
opinion/knowledge. Path disclosures are usually low-priority issues.

---
Henri Salo


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]