[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] CVE Request - Wordpress 3.5 Full-path disclosure vulnerability
From: Kurt Seifried <kseifried () redhat ! com>
Date: 2013-01-21 18:13:07
Message-ID: 50FD8533.3040500 () redhat ! com
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/21/2013 07:00 AM, Henri Salo wrote:
> On Mon, Jan 21, 2013 at 11:29:45AM +0000, Giles Coochey wrote:
>> Wouldn't setting PHP "display_errors" be for development only,
>> the entire point of the directive is to give the developer more
>> information 'in page'.
>>
>> http://php.net/manual/en/errorfunc.configuration.php#ini.display-errors
>>
>>
>>
Quoting:
>> "This is a feature to support your development and should never
>> be used on production systems (e.g. systems connected to the
>> internet)."
>
> You are correct. No CVE, but WordPress should still fix this.
> Please note that some configuration errors still get CVE, but this
> is not one of those in my opinion/knowledge. Path disclosures are
> usually low-priority issues.
>
> --- Henri Salo
It's less about severity (there are actually CVE's with a CVSS2 score
of 0), and more about documentation in this case. Setting
"display_errors" to "On" for PHP is an EXPLICIT security NONO and
generally well known (and the default is "Off"), so basically this is
a "don't point the gun at your foot and pull the trigger because it
will hurt" situation.
- --
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBAgAGBQJQ/YUzAAoJEBYNRVNeJnmTIKAP/AxsgsBW9HEKF9H9GXgtg/lv
47f+OlN6RXcD42cNvc++aguFHRQ4nLvxJszV8jthXAwLqZvWAKCbQgb5rpCrp09M
wq7wStv9vUmTF4/UPZFvw+jXllDFNwrAO9ugYHdMr5nBTaM/gOim1kD9Q/SvaqaN
xH+piAb9C7+mFqzVRQslhTie+Ps05L2jq9pFNfgBgVSbjwJRCrcvtNkRc0AHajKf
I4xyb4EgXMGBxvKvQIFpHZcIeTjxQo5JlbbkMoliF8kdO97gXkNL6wwPo2Xo1uPV
y95cAslDfV1BUJ/4CpFLcxtrLCoHhyA9IpQi10CBrNW107pxaRSG3WWx79BD80vR
YVNFNH/Waq0BqRGwJ2j3amyf7xvm/ziBPbQhmGQWLLDcvD2dUDhjcBjN/sNcETap
WWvXwDXnryJHErVyaC7C2n34bzPHQ38RbhWTFbybJOS9egQOPHXGo+HBUy8lspew
SF9jumMnrMtMPZoJYO2s+djXsXVIaibKKdCteKl+m0+S0uxHCFuMlBmUqMZ3nWAN
ThLiTjTeA58S0WySfeukLaxNVH9YJE9ETYpztGM3NMg+LeUOaG/W3Rh5QWRAn8wK
3Udm6/ZiOFG0u7ebfReCPOyawuDhRiTqHavQDxdz6bD4R0mTrvvtvfMOOPKLhOLg
KfFQhww05tRUEXR1crGJ
=Xgak
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic