[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: Re: [Full-disclosure] Full Path Disclosure in most wordpress'
From: James Matthews <nytrokiss () gmail ! com>
Date: 2009-09-30 16:40:55
Message-ID: 8a6b8e350909300940v62bea7f9u74332bb06f44560e () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Some shared hosting services try very hard (and do quite well with what they
have). When you get into VPS systems it gets complex but dedicated is a nice
way to go.
James
On Wed, Sep 30, 2009 at 3:57 AM, Glafkos Charalambous
<info@infosec.org.uk>wrote:
> Hello,
>
>
>
> Most of the people are using shared hosting environment and not all of them
> are about security and/or having their own (dedicated) server. You have to
> see it from the whole prospective and that this is *not always* an option.
>
> I don't remember this post was about secure environments or how to have a
> secure website rather than the issue of wordpress plugins and how people are
> affected (using shared hosting or not)
>
>
>
> Btw what part of *most of the times* didn't make sense in the previous
> post?
>
>
>
> Glafkos
>
>
>
>
>
> *From:* majinboo [mailto:majinbou@gmail.com]
> *Sent:* Wednesday, September 30, 2009 9:35 AM
> *To:* Glafkos Charalambous
> *Cc:* Peter Bruderer; full-disclosure@lists.grok.org.uk
>
> *Subject:* Re: [Full-disclosure] Full Path Disclosure in most wordpress'
> plugins [?]
>
>
>
> Hello,
>
> shared hosting environnement is not an option if you want to have a secure
> website.
>
> majinboo
>
> 2009/9/29 Glafkos Charalambous <info@infosec.org.uk>
>
> Hello,
>
> Yes at some point you are right but this is not an option most of the
> times,
> especially when you are on a shared hosting environment.
>
> So either the developers need to secure their plugins or we do it ourselves
> as this is still an issue for everybody using Wordpress Plugins.
>
> Glafkos
>
>
> -----Original Message-----
> From: full-disclosure-bounces@lists.grok.org.uk
>
> [mailto:full-disclosure-bounces@lists.grok.org.uk] On Behalf Of Peter
> Bruderer
> Sent: Tuesday, September 29, 2009 9:33 PM
> To: full-disclosure@lists.grok.org.uk
> Subject: Re: [Full-disclosure] Full Path Disclosure in most wordpress'
> plugins [?]
>
> The proposed fix is definitely something that helps. But to me it
> looks like most people do not care anymore about server settings. As
> soon as it is kind of working, it is pushed to the Internet.
>
> Why not avoid these problems completely and follow the recommendations
> in php.ini?
>
> ; Print out errors (as a part of the output). For production web sites,
> ; you're strongly encouraged to turn this feature off, and use error
> logging
> ; instead (see below). Keeping display_errors enabled on a production
> web site
> ; may reveal security information to end users, such as file paths on
> your Web
> ; server, your database schema or other information.
> ;
> ; possible values for display_errors:
> ;
> ; Off - Do not display any errors
> ; stderr - Display errors to STDERR (affects only CGI/CLI binaries!)
> ; stdout (On) - Display errors to STDOUT
> ;
> display_errors = Off
>
> ; Even when display_errors is on, errors that occur during PHP's startup
> ; sequence are not displayed. It's strongly recommended to keep
> ; display_startup_errors off, except for when debugging.
> display_startup_errors = Off
>
> ; Log errors into a log file (server-specific log, stderr, or
> error_log (below))
> ; As stated above, you're strongly advised to use error logging in
> place of
> ; error displaying on production web sites.
> log_errors = On
>
>
> Now the error message is in the logfile and nothing is displayed in
> the browser.
>
>
> Peter Bruderer
> --
> Bruderer Research GmbH
> CH-8200 Schaffhausen
>
>
>
>
>
> On 29.09.2009, at 18:31, Loaden wrote:
>
> > Hey
> >
> > at first excuse my bad english. Thats a nice fix. But you need to
> > change
> > the code for other plugins or files. This code works for all files
> > which
> > should not be loaded directly:
> >
> > if (basename($_SERVER['SCRIPT_NAME']) == basename(__FILE__))
> > exit('Please do not load this page directly');
> >
> > If your webhoster don't have a configuration panel you can try to
> > disable errors with this in your index.php:
> >
> > ini_set('display_errors', 0);
> >
> > I'am no sure if it works if save mode is activated. Try it or look at
> > the PHP manual.
> >
> > Regards
> >
> > Loaden
> >
> > On Mo, 2009-09-28 at 23:37 +0300, Glafkos Charalambous wrote:
> >> Hello,
> >>
> >>
> >>
> >> That definitely can be fixed easily with two lines of code but is
> >> still something that should have been prevented at earlier stages of
> >> "plugin" development
> >>
> >>
> >>
> >> "if (!empty($_SERVER['SCRIPT_FILENAME']) && 'akismet.php' ==
> >> basename($_SERVER['SCRIPT_FILENAME']))
> >>
> >> die ('Please do not load this page directly');"
> >>
> >>
> >>
> >> From the server side you can set PHP "warning" and "errors" OFF
> >> either
> >> through php.ini or PHP page itself but sometimes that's not an option
> >>
> >>
> >>
> >> Regards,
> >>
> >> Glafkos Charalambous
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
--
http://www.goldwatches.com
[Attachment #5 (text/html)]
Some shared hosting services try very hard (and do quite well with what they have). When you \
get into VPS systems it gets complex but dedicated is a nice way to \
go.<br><br>James<br><br><div class="gmail_quote">On Wed, Sep 30, 2009 at 3:57 AM, Glafkos \
Charalambous <span dir="ltr"><<a \
href="mailto:info@infosec.org.uk">info@infosec.org.uk</a>></span> wrote:<br> <blockquote \
class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt \
0.8ex; padding-left: 1ex;">
<div link="blue" vlink="purple" lang="EN-US">
<div>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);">Hello,</span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);">Most of the people are using shared \
hosting environment and not all of them are about security and/or having their own (dedicated) \
server. You have to see it from the whole prospective and that this is <u>not always</u>
an option.</span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);">I don't remember this post was \
about secure environments or how to have a secure website rather than the issue of wordpress \
plugins and how people are affected (using shared hosting or not)</span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);">Btw what part of <u>most of the \
times</u> didn't make sense in the previous post? </span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);">Glafkos</span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<div style="border-style: solid none none; border-color: rgb(181, 196, 223) -moz-use-text-color \
-moz-use-text-color; border-width: 1pt medium medium; padding: 3pt 0in 0in;">
<p><b><span style="font-size: 10pt;">From:</span></b><span style="font-size: 10pt;"> majinboo
[mailto:<a href="mailto:majinbou@gmail.com" target="_blank">majinbou@gmail.com</a>] <br>
<b>Sent:</b> Wednesday, September 30, 2009 9:35 AM<br>
<b>To:</b> Glafkos Charalambous<br>
<b>Cc:</b> Peter Bruderer; <a href="mailto:full-disclosure@lists.grok.org.uk" \
target="_blank">full-disclosure@lists.grok.org.uk</a><div><div></div><div class="h5"><br> \
<b>Subject:</b> Re: [Full-disclosure] Full Path Disclosure in most wordpress' plugins \
[?]</div></div></span></p>
</div><div><div></div><div class="h5">
<p> </p>
<p style="margin-bottom: 12pt;">Hello,<br>
<br>
shared hosting environnement is not an option if you want to have a secure
website. <br>
<br>
majinboo</p>
<div>
<p>2009/9/29 Glafkos Charalambous <<a href="mailto:info@infosec.org.uk" \
target="_blank">info@infosec.org.uk</a>></p>
<p>Hello,<br>
<br>
Yes at some point you are right but this is not an option most of the times,<br>
especially when you are on a shared hosting environment.<br>
<br>
So either the developers need to secure their plugins or we do it ourselves<br>
as this is still an issue for everybody using Wordpress Plugins.<br>
<span style="color: rgb(136, 136, 136);"><br>
Glafkos</span></p>
<div>
<p><br>
-----Original Message-----<br>
From: <a href="mailto:full-disclosure-bounces@lists.grok.org.uk" \
target="_blank">full-disclosure-bounces@lists.grok.org.uk</a></p>
</div>
<div>
<p style="margin-bottom: 12pt;">[mailto:<a \
href="mailto:full-disclosure-bounces@lists.grok.org.uk" \
target="_blank">full-disclosure-bounces@lists.grok.org.uk</a>] On Behalf Of Peter<br>
Bruderer<br>
Sent: Tuesday, September 29, 2009 9:33 PM<br>
To: <a href="mailto:full-disclosure@lists.grok.org.uk" \
target="_blank">full-disclosure@lists.grok.org.uk</a><br>
Subject: Re: [Full-disclosure] Full Path Disclosure in most wordpress'<br>
plugins [?]</p>
</div>
<div>
<div>
<p>The proposed fix is definitely something that helps. But to
me it<br>
looks like most people do not care anymore about server settings. As<br>
soon as it is kind of working, it is pushed to the Internet.<br>
<br>
Why not avoid these problems completely and follow the recommendations<br>
in php.ini?<br>
<br>
; Print out errors (as a part of the output). For production web sites,<br>
; you're strongly encouraged to turn this feature off, and use error<br>
logging<br>
; instead (see below). Keeping display_errors enabled on a production<br>
web site<br>
; may reveal security information to end users, such as file paths on<br>
your Web<br>
; server, your database schema or other information.<br>
;<br>
; possible values for display_errors:<br>
;<br>
; Off - Do not display any errors<br>
; stderr - Display errors to STDERR (affects only CGI/CLI
binaries!)<br>
; stdout (On) - Display errors to STDOUT<br>
;<br>
display_errors = Off<br>
<br>
; Even when display_errors is on, errors that occur during PHP's startup<br>
; sequence are not displayed. It's strongly recommended to keep<br>
; display_startup_errors off, except for when debugging.<br>
display_startup_errors = Off<br>
<br>
; Log errors into a log file (server-specific log, stderr, or<br>
error_log (below))<br>
; As stated above, you're strongly advised to use error logging in<br>
place of<br>
; error displaying on production web sites.<br>
log_errors = On<br>
<br>
<br>
Now the error message is in the logfile and nothing is displayed in<br>
the browser.<br>
<br>
<br>
Peter Bruderer<br>
--<br>
Bruderer Research GmbH<br>
CH-8200 Schaffhausen<br>
<br>
<br>
<br>
<br>
<br>
On 29.09.2009, at 18:31, Loaden wrote:<br>
<br>
> Hey<br>
><br>
> at first excuse my bad english. Thats a nice fix. But you need to<br>
> change<br>
> the code for other plugins or files. This code works for all files<br>
> which<br>
> should not be loaded directly:<br>
><br>
> if (basename($_SERVER['SCRIPT_NAME']) == basename(__FILE__))<br>
> exit('Please do not load this page directly');<br>
><br>
> If your webhoster don't have a configuration panel you can try to<br>
> disable errors with this in your index.php:<br>
><br>
> ini_set('display_errors', 0);<br>
><br>
> I'am no sure if it works if save mode is activated. Try it or look at<br>
> the PHP manual.<br>
><br>
> Regards<br>
><br>
> Loaden<br>
><br>
> On Mo, 2009-09-28 at 23:37 +0300, Glafkos Charalambous wrote:<br>
>> Hello,<br>
>><br>
>><br>
>><br>
>> That definitely can be fixed easily with two lines of code but is<br>
>> still something that should have been prevented at earlier stages of<br>
>> "plugin" development<br>
>><br>
>><br>
>><br>
>> "if (!empty($_SERVER['SCRIPT_FILENAME']) && 'akismet.php'
==<br>
>> basename($_SERVER['SCRIPT_FILENAME']))<br>
>><br>
>> die ('Please do not load this page directly');"<br>
>><br>
>><br>
>><br>
>> From the server side you can set PHP "warning" and
"errors" OFF<br>
>> either<br>
>> through php.ini or PHP page itself but sometimes that's not an option<br>
>><br>
>><br>
>><br>
>> Regards,<br>
>><br>
>> Glafkos Charalambous<br>
><br>
><br>
> _______________________________________________<br>
> Full-Disclosure - We believe in it.<br>
> Charter: <a href="http://lists.grok.org.uk/full-disclosure-charter.html" \
target="_blank">http://lists.grok.org.uk/full-disclosure-charter.html</a><br> > Hosted and \
sponsored by Secunia - <a href="http://secunia.com/" \
target="_blank">http://secunia.com/</a><br> <br>
<br>
_______________________________________________<br>
Full-Disclosure - We believe in it.<br>
Charter: <a href="http://lists.grok.org.uk/full-disclosure-charter.html" \
target="_blank">http://lists.grok.org.uk/full-disclosure-charter.html</a><br> Hosted and \
sponsored by Secunia - <a href="http://secunia.com/" \
target="_blank">http://secunia.com/</a><br> <br>
_______________________________________________<br>
Full-Disclosure - We believe in it.<br>
Charter: <a href="http://lists.grok.org.uk/full-disclosure-charter.html" \
target="_blank">http://lists.grok.org.uk/full-disclosure-charter.html</a><br> Hosted and \
sponsored by Secunia - <a href="http://secunia.com/" \
target="_blank">http://secunia.com/</a></p>
</div>
</div>
</div>
<p> </p>
</div></div></div>
</div>
<br>_______________________________________________<br>
Full-Disclosure - We believe in it.<br>
Charter: <a href="http://lists.grok.org.uk/full-disclosure-charter.html" \
target="_blank">http://lists.grok.org.uk/full-disclosure-charter.html</a><br> Hosted and \
sponsored by Secunia - <a href="http://secunia.com/" \
target="_blank">http://secunia.com/</a><br></blockquote></div><br><br clear="all"><br>-- <br><a \
href="http://www.goldwatches.com">http://www.goldwatches.com</a><br> <br><br><br>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic