[Full-disclosure] Full Path Disclosure in most wordpress' plugins [?]
Loaden
loaden at einmalmitprofis.com
Tue Sep 29 17:31:42 BST 2009
Hey
at first excuse my bad english. Thats a nice fix. But you need to change
the code for other plugins or files. This code works for all files which
should not be loaded directly:
if (basename($_SERVER['SCRIPT_NAME']) == basename(__FILE__))
exit('Please do not load this page directly');
If your webhoster don't have a configuration panel you can try to
disable errors with this in your index.php:
ini_set('display_errors', 0);
I'am no sure if it works if save mode is activated. Try it or look at
the PHP manual.
Regards
Loaden
On Mo, 2009-09-28 at 23:37 +0300, Glafkos Charalambous wrote:
> Hello,
>
>
>
> That definitely can be fixed easily with two lines of code but is
> still something that should have been prevented at earlier stages of
> "plugin" development
>
>
>
> "if (!empty($_SERVER['SCRIPT_FILENAME']) && 'akismet.php' ==
> basename($_SERVER['SCRIPT_FILENAME']))
>
> die ('Please do not load this page directly');"
>
>
>
> From the server side you can set PHP "warning" and "errors" OFF either
> through php.ini or PHP page itself but sometimes that's not an option
>
>
>
> Regards,
>
> Glafkos Charalambous
Full-Disclosure is hosted and sponsored by Secunia.