Detailed Error Messages Revealed

The file you are referring to (tinymce.min.js) is a JavaScript file and is part of the WordPress core. You can compare the content you have with that in the repository: https://github.com/WordPress/WordPress/blob/master/wp-includes/js/tinymce/tinymce.min.js

Unfortunately, I don’t see the connection to your LDAP comment here. If you could describe this in more detail, we might be able to tell you more about it.

So the tinymce.min.js especially for the code that i mentioned before not related to LDAP?

and can elaborate on this code also?

{var s,r,o=this,c=0,l=[],t=0,f=function(){return 0===t}

thanks

@anugrahjaya1: I think you’re looking at this the wrong way.

From your own post, it seems the issue here is not that the pattern was matched, but it seems some exception or error was triggered which led to some “detailed error message” being “revealed”.

What is not mentioned is where this “detailed error message” is “revealed”.

Is it displayed on your public website and visible to everyone? That’s a webserver configuration problem: you should never display error messages or even benign warnings on a public website for security and performance reasons (plus it simply annoys your users who can’t act on the error message).

If, on the other hand, this “detailed error message” is being displayed in the server’s error logs or being “revealed” to a script/software that’s running on the server, then I don’t see how this is a problem. If this were an attack situation, the bad actor is ALREADY ON THE SERVER — and an error message being revealed should be your least concern, as they already have the keys to the kingdom!

Coming from the IT managed services world, I can’t count the number of times a client would call frantically screaming about “critical” vulnerabilities some security auditors they hired have found on their network/server. And the problem? We’ve locked down the client’s network tightly so the “security auditors” can’t run their automated scanners and check off their boxes. And that’s certainly a critical security problem, a failed audit and client being threatened with noncompliance!

The question is, does this code have to be there??

Yes, it’s a core file and part of how it operates.

It’s neither a security vulnerability nor a cause for concern, but editing core files can introduce security vulnerabilities, bugs, and will be replaced with every WordPress update anyway.

As with all security matters, it is indeed possible to protect your home from theft by encasing it in a concrete box with no windows or doors, but that is hardly a usable home.

To be clear, we take security very seriously here https://www.ads-software.com/about/security/ so if a scanner is reporting an unmodified core file, it is far more likely that scanner is being a bit overzealous.

But, if you have found a valid security vulnerability, you can always report it following these steps: https://make.www.ads-software.com/core/handbook/testing/reporting-security-vulnerabilities/

Scanners merely compare characters for exact matches, they can’t divine meaning or function, and some take it a bit too far.

It reminds me of the old days when anti-virus programs would detect each other’s virus definitions as malware and thus prompt you to remove themselves. Be careful out there. ??

Ok thanks everyone for your explanation, so this is false positive.

• This reply was modified 9 months, 1 week ago by anugrahjaya1.