WordPress Full Path Disclosure issue.


I am quite interested in security so I recently installed BackTrack on 1 of my spare pc’s so that I could have a proper play about. 1 of the tools that I have played with is WPScan which is a tool for scanning WordPress blogs to try to find security holes.

WPScan seems is very useful. It can scan the blog to find out which plugins are installed as well as gaining more useful information such as potential security concerns.

1 thing that the scan specifically found with this blog is what is known as a Full Path Disclosure vulnerability. Basically this is where a script will leak information about the path it is installed upon on the server. The vulnerability is caused by something really simple. 1 of the function files (rss-function.php) calls a function that is not contained within the file itself. Due to this the script outputs the following error message if called directly:

Fatal error: Call to undefined function _deprecated_file() in /home/USERNAME/public_htm/wp-includes/rss-functions.php on line 8

As you can see I have modified this slightly but there is potentially 1 further piece of information that is displayed that would be very useful for a hacker. THE USERNAME. Quite a lot of servers have a folder for each user which has their files. Should we really be giving this information out?

This full path disclosure is not a new issue with WordPress and has been known about for some time but WordPress do not seem concerned and have not resolved the issue.

There is an easy way for this issue to be resolved. That is by simply placing the following into a .htaccess file within the blog root folder:

php_flag display_errors off

This should be fairly self-explanatory for any PHP developer. And anyone with any security knowledge should be doing something similar anyway. PHP errors should not be displayed to the user.

On a side note readme.html should also be deleted. This file leaks the version number of the current installed WordPress installation.

Tell us your thoughts

This site uses Akismet to reduce spam. Learn how your comment data is processed.