Skip to:
Content
Pages
Categories
Search
Top
Bottom

path disclosure in themes if misconfigured

  • none of the scripts inside bb-templates should be +x

    otherwise users will be able to execute them and a path will be disclosed.

    example:

    http://www.site.com/forums/bb-templates/kakumei/register-success.php

    returns an error and a path is disclosed:

    Fatal error: Call to undefined function: bb_get_header() in /server/path/disclosed/forums/bb-templates/kakumei/register-success.php on line 1

    comment:

    I had to +x all my files in my hosting environment to make bbpress work; this directory and its content should not be +x’ed.

    (bbpress will still work if this directory is not +x’ed)

    this is primarily ‘my fault’ but since I think what I did (+x’ing everything to make bbpress work) could have been done by others, I’m just making this note here.

You must be logged in to reply to this topic.