You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Error logging/debugging is enabled in a WP site and the host allows it
Visit directly the location of the said files eg: https://id3exposed-carltest20.pantheonsite.io/wp-includes/ID3/module.audio-video.asf.php it will give out the error Fatal error: Uncaught Error: Class 'getid3_lib' not found in wp-includes/ID3/module.audio-video.asf.php:16 Stack trace: #0 {main} thrown in wp-includes/ID3/module.audio-video.asf.php on line 16
This vulnerability is the hosting's responsibility
Most technical users know that the path disclosure is the hosting's responsibility to address this issue but let's put our shoes in a simple user that is not very technical and can only host from the cheapest possible way where there is no staging and they always work in a live site as by default debugging is on, it would affect the user-friendliness of an application as most likely they will run into:
the full path is exposed by default and their site will be a favorite target for SQLI attacks and automated probes before the owners know it
their disk space can be maxed out when the error logs piles up
this user will need to hire a developer to get this coordinated to the hosting to get this turned off if he is not familiar in toggling the settings from the host
The text was updated successfully, but these errors were encountered:
Overview
Putting the PR here as it seems this is the source of that library where those vulnerable files are originated https://github.com/WordPress/wordpress-develop/tree/5.3/src/wp-includes/ID3 hoping that this not only helps out WP users but as well as others using this library.
This seems to be related to the open ticket from the WordPress core https://core.trac.wordpress.org/ticket/49499 exposing the path as it can be used if there is a successful SQLI attack as outlined in the OWASP standards as a potential threat https://owasp.org/www-community/attacks/Full_Path_Disclosure not just in WP but also other installation that depends on this library.
Affected files
These are the files affected in the WP core so there might be other files in this installation that might be affected not included in the list:
module.audio-video.asf.php
module.audio-video.flv.php
module.audio-video.matroska.php
module.audio-video.quicktime.php
module.audio-video.riff.php
module.audio.ac3.php
module.audio.dts.php
module.audio.flac.php
module.audio.mp3.php
module.audio.ogg.php
module.tag.apetag.php
module.tag.id3v1.php
module.tag.id3v2.php
module.tag.lyrics3.php
Steps to reproduce the error:
This vulnerability is the hosting's responsibility
Most technical users know that the path disclosure is the hosting's responsibility to address this issue but let's put our shoes in a simple user that is not very technical and can only host from the cheapest possible way where there is no staging and they always work in a live site as by default debugging is on, it would affect the user-friendliness of an application as most likely they will run into:
The text was updated successfully, but these errors were encountered: