I was pointed to this reported "security issue" today, and wanted to say a quick word about this.
The report is invalid. None of the specified URLs are exploitable.
action.php: hasinclude('./config.php');as first line.config.phpdefines$DIR_LIBS.media.php: same thing: includedconfig.phpfirst, via a fixed path.xmlrpc/server.php: again, the same: includesconfig.phpvia a fixed path.xmlrpc/api_metaweblog.inc.php: this one is just funny, since this file doesn't execute any code when called (it's included from elsewhere). The only thing it does is composing an array and defining a number of functions.
Including config.php as soon as possible, via a safe path, is crucial to Nucleus security: including config.php defines crucial variables (like DIR_LIBS) and bootstraps Nucleus (including security checks: that's why you'll receive a "Sorry, an error occurred" error message when trying these URLs)
The previous security issue, which led to the release of Nucleus v3.23, was possible because PLUGINADMIN.php has no reliable way of knowing where it is executing, and therefor cannot include config.php in a safe way. Instead, this file is included from plugin admin areas, which include the config file first. Should have called the file PLUGINADMIN.inc, actually.
Anyway, there's no need to worry about this report. You're only vulnarable to it if you've got an empty config.php file, and in that case, your site won't function anyway. As far as I know, Nucleus v3.23 is safe to use.
Posted by karma at 02:26 AM. Filed under: Inside Nucleus
