Although I do not agree with this point, WordPress's stance on this is: "Why are there path disclosures when directly loading certain files? This is considered a server configuration problem. Never enable display_errors on a production site." - http://codex.wordpress.org/Security_FAQ#Why_are_there_path_disclosures_when_directly_loading_certain_files.3F
WordPress do not consider this a security bug and instead a configuration problem. They will not fix any and therefor WordPress is absolutely full of FPD issues. I did some research back in 2011 and found that the first version of WordPress I could install (0.71-gold) had 44 FPDs, whereas the latest at the time of the research (3.2.1) had 155 FDPs - http://www.ethicalhack3r.co.uk/full-path-disclosure-fpd/ Here is every FPD issue I identified from version 0.71-gold to version 3.2.1 - http://ethicalhack3r.co.uk/files/misc/wp_paths.tar (I would estimate thousands across the versions, I used YEHG's inspathx tool) >From this research I found that the "wp-includes/rss-functions.php" file is the most consistent to give a FPD across all versions, this is the file now used in WPScan to detect FPDs in WordPress reliably - https://github.com/wpscanteam/wpscan/blob/2fb6f7169acb5263f11586e742474193ed3b4ee1/lib/wpscan/wp_target/wp_full_path_disclosure.rb Until WordPress decide to start fixing them, individual FPD bugs are a non-issue. On Sat, Nov 30, 2013 at 8:44 PM, MustLive <[email protected]>wrote: > Hello list! > > In July I wrote about one vulnerability in WordPress, which were hiddenly > fixed in version 3.5.2 (http://securityvulns.ru/docs29555.html). Here are > new ones. > > These are hiddenly fixed vulnerabilities in such versions of WordPress as > 3.6 and 3.6.1. Developers of WP intentionally haven't wrote about them to > decrease official number of fixed holes. Which is typical for them - since > 2007 they often hide fixed vulnerabilities. > > As I wrote in September (http://websecurity.com.ua/6795/), there are 9 > FPD vulnerabilities, which were hiddenly fixed in WP 3.6. They were not > mentioned in announcement, only mentioned in Codex (as "bugs"). Even there > were cases, when WP developers wrote about fixed FPD in official > announcements. > > Full path disclosure (WASC-13): > > In Media Library if an attachment parent does not exist. > In function parent_dropdown(). > In function wp_new_comment(). > In function mb_internal_encoding(). > At processing of image metadata. > In function get_post_type_archive_feed_link(). > In function WP_Image_Editor::multi_resize(). > In function wp_generate_attachment_metadata(). > At deleting or restoring an item that no longer exists. > > Vulnerable are WordPress 3.5.2 and previous versions. > > As I wrote in November (http://websecurity.com.ua/6904/), there are 3 FPD > vulnerabilities, which were hiddenly fixed in WP 3.6.1. They were not > mentioned in announcement or Codex. Even there were cases, when WP > developers wrote about fixed FPD in official announcements. > > Full path disclosure (WASC-13): > > In function get_allowed_mime_types(). > In function set_url_scheme(). > In function comment_form(). > > Vulnerable are WordPress 3.6 and previous versions. > > Best wishes & regards, > MustLive > Administrator of Websecurity web site > http://websecurity.com.ua > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
