How To Fix WordPress Internal Path/Full Path Disclosure(FPD) Issue

Many websites running wordpress are exposing the internal path/full path where the php files are installed when they display a php message error. This is not necessary a wordpress issue it’s a generic php configuration. WordPress developers don’t see it as a security risk because considering that potential attackers don’t have access to the internal structure, even if they know it. Which might not be always true considering hackers are always very creative in acting in unconventional ways. In the same time the logging in production environment should be disabled which in practice is obviously not true, most of the hosting environments having it enabled by default.

How to detect the wordpress internal path / full path?

If you check your website using sitecheck.sucuri.net, you’re be able to notice they are able to display it(if you’re site is not secured to FDT issue). How they sucuri does it? It’s very simple, it just make a request which generates an error message. If the log is not disabled the internal path is displayed in the error message. For wordpress there are many known ways to get a message error(more details here):

  • Url Empty Array: http://site.com/?page[]=about
  • Direct Access to files that requires preloaded library files (http://site.com/wp-includes/rss.php)
  • Invalid Session Cookie / Null Session Cookie

A warning or an error message will be displayed in the page which containing the internal path:

<b>Warning</b>:  trim() expects parameter 1 to be string, array given in 
<b>/home/content/15/10734315/html/multishark/wp-includes/query.php</b>
 on line <b>2625</b><br />

How to hide the wordpress internal path?

Luckily, there is a simple solution to configure the server to disable the display of warnings and error logs. Practically there are 3 options to do that:

  • in the php.ini configuration files
  • in the .htaccess file, in the root of the wordpress installation
  • in the php script

Disabling Warning and Error Logs in php.ini file

This method is the safest because it will be applied for the whole server. The php.ini location depends on the server configuration(sometimes the filename is php5.ini, usually when you have more then one php version installed).

  • for Dedicated/VPS configurations it’s more likely in /etc/php.ini
  • for shared hosting it should be in the root folder (public_html). It is just an additional ini files which overloads the main php.ini settings. If there is not there you might have to create it. For example for Godaddy shared hosting you can find the location here.

You have to add any of the following lines:

display_errors = 0
display_errors = Off

Once you have modified the php.ini file you either have to restart the server(Dedicated/VPS Hosting) or to wait for a while for shared hosting(details for Godaddy). If you want to check which php.ini files are loaded, create a php file with the following content, upload it to the hosting, run it(and don’t forget to delete it after that).

<?php
    phpinfo();
?>

You’ll be able to see something like that if the default file is picked up:

The default php.ini is used if there is none created in user folder

The default php.ini is used if there is none created in user folder

If in a shared folder you create your own file you can check the user one is used:

new-phpini

If a php.ini file is found in the user folder than it is picked up from there.

Disabling Warning and Errors in .htaccess file

If this method is applied to the .htaccess file in the root folder of the wordpress installation it should have the same effect as the above method. You only have to add the following line if php is installed as an apache module:

php_flag display_errors off

If php is run in CGI mode(as opposed to apache module) then the php_flag directive is not valid. In order to detect how if PHP is installed as Apache Module or in CGI Mode, you cand use the phpinfo() method described above:

Detect is PHP is installed as Apache Module or in CGI Mode

Disabling Warning and Errors in php file

Definitely, this one is not a reliable solution in wordpress case, because is doesn’t cover all the scenarios. It will affect only the php files when it’s invoked. For example if we add it in the wp-config.php file it will work in many scenarios, but now if someone is invoking http://site.com/wp-includes/rss.php. In this case wp-config is not called, our configuration is not picked up, so as a result, a warning will be fired, exposing the internal structure. This option would work if it would be added in all the php files, which obviously is not a solution.

ini_set('display_errors','Off');

When the configuration is done, you can use the phpinfo() method to check if it’s done. After finishing it, remember to delete the phpinfo file.

display-errors configuration

display-errors configuration

Leave a Reply

Your email address will not be published. Required fields are marked *