bs-wp-noerrors: removing WordPress DB errors
Filed Under (Tools, WordPress) by DK on 11 December 2007

This plugin is now deprecated as of WordPress 2.3.2. WordPress 2.3.2 has error messages disable by default. This plugin may still be useful for those running older versions.

WordPress by default has error messaging turned on:


function show_errors() {
$this->show_errors = true;
}

It is important to note, that database errors will still be displayed to users even when PHP errors have been turned off. This plugin disables WP DB error messages.

The recent WordPress information disclosure vulnerability demonstrates the potential dangers of having these error messages displayed to the user. It leaks the database prefix and may aid an attacker in further exploitation. In short, for live blogs, you really want this turned off. In fact, I’d suggest WordPress have this disabled by default.

So what we need is a WP action that allows us to turn error messaging off. We can then put this into a plugin.

parse_query - Runs at the end of query parsing.

This is what we want. Once a query has been executed we turn error messaging off for that query. I wrote a quick proof of concept plugin to test this.

The plugin wpdberrors is available here. There may be a better way to do this, suggestions and feedback welcome.

The latest versions will be released as ‘bs-wp-noerrors’ to remain consistent with other BlogSec projects.

   
Enjoy the article? Please take a second to: Digg it! | StumbleUpon it!

Read and Contribute to BlogSec News!

Comments

Andrew on 11 December, 2007 at 8:00 pm #

I am curious about why there is a need to wait until the query has been parsed to turn the errors off.

You suggest that it should be off by default, would it make sense to turn it off using the init action instead? Possibly with a debug flag in the config file.


DK on 11 December, 2007 at 8:51 pm #

Andrew, I initally used the init function, however, I think it gets overwritten during or after the query (atleast this is what happened during my tests), hence why I chose parse_query.


Andrew on 11 December, 2007 at 11:12 pm #

Thanks, that makes more sense. I have been looking at the WordPress files but I can’t find why at the moment.


Ваш блог - могут взломать! | AltBlog.ru on 14 December, 2007 at 5:44 pm #

[…] Часто встречаю блоги на которых по тем или иным причинам вылетают SQL-ошибки. Эти сообщения о SQL-ошибках надо отключать - читать. […]


BlogSecurity » Blog Archive » WP 2.3.2 Security Fixes on 31 December, 2007 at 11:43 am #

[…] WordPress have decided to turn off WordPress errors by default now. So, our bs-wp-noerrors plugin is deprecated but still useful for those of us who haven’t trusted WP 2.3 enough to […]


Sharing my latest WordPress errors and new WordPress Version | PhSoftware Programming Blog - PSPB on 31 December, 2007 at 4:05 pm #

[…] possible Protection. For everyone who uses an earlier version, should run BlogSecurity’s bs-wp-noerrors to have this feature as […]


jonathon on 1 January, 2008 at 6:05 pm #

will we be getting a update for this plug in anytime soon, thanks.


Wordpress 2.4 wird nicht erscheinen, stattdessen direkt Version 2.5 » miradlo bloggt on 4 January, 2008 at 3:07 pm #

[…] Aus Sicherheitsgründen hatte ich außerdem zwischen den Versionen 2.3.1 und 2.3.2 noch das DB-Errors-Plugin installiert. Wenn solche Aktionen zwischendurch nicht nötig sind, dann warte ich doch ein […]


Безопасность WordPress. | Блог Андрейда on 15 April, 2008 at 8:54 pm #

[…] В сообщениях об ошибках порой содержится очень много полезной для злоумышленника информации. Плаггин забираем отсюда. […]


Comment
Name:
Email:
Website:
Message: