path disclosure in themes if misconfigured
-
none of the scripts inside bb-templates should be +x
otherwise users will be able to execute them and a path will be disclosed.
example:
http://www.site.com/forums/bb-templates/kakumei/register-success.php
returns an error and a path is disclosed:
Fatal error: Call to undefined function: bb_get_header() in /server/path/disclosed/forums/bb-templates/kakumei/register-success.php on line 1
comment:
I had to +x all my files in my hosting environment to make bbpress work; this directory and its content should not be +x’ed.
(bbpress will still work if this directory is not +x’ed)
this is primarily ‘my fault’ but since I think what I did (+x’ing everything to make bbpress work) could have been done by others, I’m just making this note here.
- You must be logged in to reply to this topic.