Skip to content

Directory traversal: wp-content directories respond 200 with blank page #294

Description

@ogorzalka

Bug description

Directories under the WordPress content path (/content/plugins/, /content/themes/, /content/mu-plugins/, /cms/wp-content/) respond with HTTP 200 and a blank page instead of 404.

This happens because:

  1. These directories contain index.php files ("Silence is golden") that exist on disk
  2. The web server (Apache/Nginx) serves them directly without going through the framework, due to RewriteCond %{REQUEST_FILENAME} !-f / try_files
  3. The result is a blank 200 response, which is an information leak (confirms directory existence) and looks broken

Reported in Pollora/pollora#182.

Expected behavior

Any request to a directory path that isn't a valid WordPress/Laravel route should return 404.

Proposed fix

Two-layer approach:

1. Skeleton .htaccess (Apache)

Add a rewrite rule before the standard Laravel rules to force directory requests under content/ and cms/wp-content/ through the front controller.

2. Framework middleware (server-agnostic)

Add a middleware in the framework that detects requests targeting existing directories (not files) and returns 404. This ensures protection regardless of web server configuration (Apache, Nginx, Caddy, etc.).

Affected versions

All versions — this is a structural issue with the Bedrock-style layout where wp-content is under the public docroot.

Related

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions