http://weblogtoolscollection.com/news/ Weblogtoolscollection News Topic: Server path disclosure in WP themes en Tue, 21 May 2013 08:56:48 +0000 http://weblogtoolscollection.com/news/topic/server-path-disclosure-in-wp-themes#post-1264 Fri, 06 Jul 2007 10:48:33 +0000 Truden 1264@http://weblogtoolscollection.com/news/ <p>I see that Mark has taken in consideration the server path disclosure and he fixed it in this web site without tempering with the server settings.</p> <p>It would be nice of him if he explain to his readers how he did it and what is the risk if you do not do it. </p> http://weblogtoolscollection.com/news/topic/server-path-disclosure-in-wp-themes#post-1136 Tue, 12 Jun 2007 22:54:38 +0000 Truden 1136@http://weblogtoolscollection.com/news/ <p>Oh, I know that it is a GLOBAL thing, but blogging system like WordPress should take care of its users.<br /> <strong>It is rule:</strong> Do all possible to secure your code and software.<br /> If you can not do it, you must bring it to the attention of your users and I don't understand why news discussing security and anti spam issues are kept silently covered until they disappear in the time??? </p> http://weblogtoolscollection.com/news/topic/server-path-disclosure-in-wp-themes#post-1128 Tue, 12 Jun 2007 15:36:56 +0000 polyxena 1128@http://weblogtoolscollection.com/news/ <p>This depends on the level of error reporting (set by hosting company and/or php.ini). Production sites really should suppress all errors/warnings, so it's a global thing, not just a WP thing </p> http://weblogtoolscollection.com/news/topic/server-path-disclosure-in-wp-themes#post-1117 Mon, 11 Jun 2007 07:23:47 +0000 Truden 1117@http://weblogtoolscollection.com/news/ <p>I see that no one takes this problem as a serious security threat and weblogtoolscollection.com is not afraid to show its server path.</p> <p>Well, just in case you don't like to be so brave, you can use an .htaccess to cover this hole.<br /> Put in the file this code:</p> <p><code>&lt;Files "*.php"&gt;<br /> Order allow,deny<br /> Deny from all<br /> &lt;/Files&gt;</code></p> <p>Upload this .htaccess file in all your theme directories. </p> http://weblogtoolscollection.com/news/topic/server-path-disclosure-in-wp-themes#post-1113 Sat, 09 Jun 2007 16:52:29 +0000 Truden 1113@http://weblogtoolscollection.com/news/ <p>He-he :-)<br /> I was doing some carpentry when a thought popped up in my mind:<br /> what if you type in the address bar the path to your theme directory / index.php</p> <p>How do we secure theme/index.php???</p> <p>Not very clever designed template hook ;)<br /> Or perhaps that is not a BIG problem and my ignorance is making me wary too much. :( </p> http://weblogtoolscollection.com/news/topic/server-path-disclosure-in-wp-themes#post-1112 Sat, 09 Jun 2007 13:37:22 +0000 Truden 1112@http://weblogtoolscollection.com/news/ <p>Server path disclosure is a serious hole jeopardizing your security.</p> <p>All theme developers should secure the theme files which are not supposed to be called directly.</p> <p>It is very easy to find the path to your theme folder and then just call searchform.php or single.php or any other file which is used as included theme file.<br /> By doing that you would see something like:</p> <p>Fatal error: Call to undefined function: bloginfo() in /var/www/myhost/mysite/docs/wp-content/themes/mytheme/searchform.php on line 2</p> <p>If a hacker needs your server path he/she has it. </p>