Internal Path Disclosure
Introduction
Path Disclosure vulnerability enables an attacker to see the full path of record and ithelps the attacker to identify other vulnerabilities or help during the exploitation of other identified vulnerabilities.
How it works
This is how it disclosed.
Warning: mysql_num_rows() expects parameter 1 to be resource, boolean given in C:\wamp\www\en\events_detail.php on line 47This vulnerability if exploited could lead to Directory transversal which could lead for an attacker to gain read only access to root or other directories and ultimately to the web server.
How to Fix
Wordpress path disclosure vulnerability:
for Dedicated/VPS designs it's more probable in /etc/php.ini
for shared hosting it ought to be in the root folder (public_html). It is only an extra ini documents which over-burdens the fundamental php.ini settings.In the event that there isn't there you may need to make it.
display_errors = 0
display_errors = OffDisabling Warning and Errors in .htaccess file
This method is applied to the .htaccess file in the root folder of the wordpress installation. Then you only have to add the following line if php is installed as an apache module:php_flag display_errors off
Disabling Warning and Errors in php file
If we add it in the wp-config.php file it will work in many scenarios, but now if someone is invoking http://site.com/wp-includes/rss.php. In this case wp-config is not called, our configuration is not picked up, so as a result, a warning will be fired, exposing the internal structure. This option would work if it would be added in all the php files, which obviously is not a solution.
ini_set('display_errors','Off');When the configuration is done, you can use the phpinfo() method to check if it’s done. After finishing it, remember to delete the phpinfo file.
display_errors
Off
Off
display_startup_error
Off
Off
Configure 500 error to all custom pages of web application.
References
Last updated
Was this helpful?