I agree, this is a configuration issue not an issue with Wordpress.
Wordpress SHOULD NOT fix this issue because it will make it more difficult to
write wordpress modules.
All production systems should have this configuration:
display_errors=off
Ridiculous! I've been talking about this for some time, the actual
list of vulnerable files follows:
wp-admin\admin-functions.php
wp-admin\includes\admin.php
wp-admin\includes\class-ftp-pure.php
wp-admin\includes\class-ftp-sockets.php
wp-admin\includes\class-wp-filesystem-direct.php
Seems like most of the vulnerabilities from the last couple days are
not actual software issues, but problems with configuration of the
server or just not following the directions provided by the vendor.
If that is our measure for vulnerability, I can show about 10 for the
wristwatch I am
My point-of-view is that anything can be made insecure. The
WordPress issue is avoidable by just configuring the server to common
standards of not displaying errors in a production environment. That
seems pretty simple. I can see instances where I would want the
software to reveal the path if
Vulnerability ID: HTB22905
Reference: http://www.htbridge.ch/advisory/path_disclosure_in_wordpress.html
Product: Wordpress
Vendor: http://wordpress.org/ ( http://wordpress.org/ )
Vulnerable Version: 3.1
Vendor Notification: 15 March 2011
Vulnerability Type: Path disclosure
Status: Not Fixed
Risk