Skip to:
Content
Pages
Categories
Search
Top
Bottom

here's how to solve the "path disclosure" bug in bbPress


  • _ck_
    Participant

    @_ck_

    There is a security bulletin being circulated this week about a “path disclosure” bug in bbPress 1.0.3 – it actually affects all versions.

    It’s not a super-serious security bug in itself but it can be used to gain leverage.

    Basically someone can discover the real path your files are in by causing a PHP error by trying to access a template file directly, where there is an error in the template because bbPress is not loaded at that time.

    Here is a simple workaround for users on Apache (vast majority of users).

    Make a file called .htaccess (note the dot at the start)

    in it, put this line

    php_flag display_errors off

    Then upload that file to bb-templates and my-templates

    The reason why we don’t put that in the master .htaccess file for all of bbPress is because you may need to see any regular errors in the future. However for the template subdirectories, there is no need because those files are never (supposed to be) loaded directly by the browser.

Viewing 4 replies - 1 through 4 (of 4 total)

  • qayqay12
    Member

    @qayqay12

    If there are never supposed to be loaded directly by the browser maybe we could also deny the access by another .htaccess config:

    <Limit GET POST”>

    order deny,allow

    deny from all

    </Limit>

    Why don’t you add those .htaccess files in the repository. They will ensure security and they will not hurt on other servers than apache.


    qayqay12
    Member

    @qayqay12

    If there are never supposed to be loaded directly by the browser maybe we could also deny the access by another .htaccess config:

    <Limit GET POST”>

    order deny,allow

    deny from all

    </Limit>

    Why don’t you add those .htaccess files in the repository. They will ensure security and they will not hurt on other servers than apache.


    _ck_
    Participant

    @_ck_

    Because you cannot disable access for all files in the template directory – CSS and some images have to be loaded directly by the browsers in the end.

    So turning off PHP responses will do for now.


    _ck_
    Participant

    @_ck_

    Because you cannot disable access for all files in the template directory – CSS and some images have to be loaded directly by the browsers in the end.

    So turning off PHP responses will do for now.

Viewing 4 replies - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.