full path disclosure: security problem

This has nothing to do with WordPress, it is the default set-up of your web-server. If you are using Apache, add this to your .htaccess:

Options All -Indexes

I know that’s a solution for the open dir problem, but maybe this should be in de .htaccess in the initial installation.

And it doesn’t change anything with the full path disclosure:
https://www.example.com/wp-content/themes/default/index.php

I really wouldn’t go as far to say that this is a security concern, especially since 99.99999% of all WordPress users have their theme files in /wp-content/themes/, 99.99999% of all WordPress users have their plugin files in /wp-content/plugins/, and 99.99999% of all WordPress users have their admin files in /wp-admin/ . What I’m trying to get at here is that the file path really doesn’t matter. If someone has the technical know-how to mess with your files, they probably already know where to look.

In all other projects (Drupal, php-nuke, …), they take this stuff seriously.

I think it should be wise to ad this the default .htaccess file:

Options All -Indexes
# Turn off display_errors
php_flag display_errors off


Dextro: you’re looking security issues on the wrong place, this for 2 reasons:
1/ .htacess is not enabled on every host so your solution is not a real one as it will only target a few person.

2/ as macmanx said, 99.99999999% WordPress users will use the standard install path for plugins and themes.

A clever – or at least normal – sys admin will not allow Indexes option and PHP errors displaying, even if on public web hosts it’s usefull because you can’t check logs.

A simple solution should be to put a void index.php into those directories. Will work everywhere.

I think it’s not a wordpress concern and you just want to make a fuss claiming you have discovered a major security flaw on an open source project. Come back to play here when you’re grown up

Oh, and talking about phpNuke it’s been on the top holed applications list of all security mailing lists for years.

Was not a very good idea to cite it as a modele of security concerns IMHO

If you would have cited M$ Windows as a comparison then we might have believed you ??

Hmmm. Makes me wonder why there isn’t a default ‘secure’ index.php file in all WP subfolders, and then a ‘standard’ that anyone can include in their own created folders? I know there are index.php files in some of the subfolders…

-d

neuro: about point 1, you’re right, i forgot that. And an empty index is a good alternative.

All the other crap you wrote under it sais more about you then about me… Btw, where did I wrote that phpnuke was a modele?
I discover nothing, it was only a simple question, but apparantly you folks don’t accept ‘new’ people in here… Especially the sentence about growing up doesn’t make sense in any way.

Just don’t forget, a peace of code can only come better if you folks accept some criticism. And yes, I have some other questions and things that maybe could be better, but I now just discovered that it is better to shut up in here.

We should add a small script that creates empty index.php on every indexless folder at install time that should be regenerated the way the permalinks are.

But I guess there will be people who wants to have indexless directory and who will complain about this.

But I still believe this is really a sysadmin issue more than a WordPress concern.

What could be the avantage of an indexless dir?

If we go ahead with this, don’t make the index.php completely empty, at least send out a 403 header.

Wait a sec. Exactly what is the security issue here? Am I reading this wrong, or are you upset that I can browse to youriste.com/wp-content/plugins/ and view what plugins you run?

So what? I click on a plugin and it errors out. Everything is PHP executeable, so no critical information is revealed. And what’s the harm in seeing what other people have installed?

I like the fact that I can browse most WP sites like this. It helps me to learn, and often times helps me out while I am troubleshooting a site.

Am I reading this wrong, or are you upset that I can browse to youriste.com/wp-content/plugins/ and view what plugins you run?

Apparently that is the issue here.

Apparently that is the issue here.

Hrm…

I think that’s a serious security problem.

I can’t see how this is 1) a security issue or 2) serious. It’s more like a “i don’t want people seeing my files” issue which should probably be decided on a site to site basis by those who care to lock it down. I would no recommend this to be a default.