Re: phpBB 2.0.20 Full Path Disclosure and SQL Errors
- From: Paul Laudanski <zx@xxxxxxxxxxxxxx>
- Date: Tue, 9 May 2006 20:25:59 -0400 (EDT)
On Mon, 8 May 2006, Maksymilian Arciemowicz wrote:
"Full Path Disclosure" isn't a risk but many systems of PHP or important sites
are vulnerable to this issues. Of course it is possible to turn off
display_errors but it isn't changing the fact, that issues should not be. It
is typical "Full Path Disclosure".
Yesterday I received the confirmation from phpBB about the acceptance of these
bug.
PHP is a specific language and are many different possibilities to show full
path. I will public note about this bugs.
I don't disagree, but I do think path disclosure is not a big deal. If
you're running a website, the first thing you have to do is secure the
daemons on it. And that includes disabling the displaying of errors,
disabling debugging, etc.
--
Paul Laudanski, Microsoft MVP Windows-Security
Submit Phish: http://castlecops.com/pirt
[de] http://de.castlecops.com
[en] http://castlecops.com
[wiki] http://wiki.castlecops.com
[family] http://cuddlesnkisses.com
- References:
- Re: phpBB 2.0.20 Full Path Disclosure and SQL Errors
- From: Maksymilian Arciemowicz
- Re: phpBB 2.0.20 Full Path Disclosure and SQL Errors
- Prev by Date: Several flaws in e-business designer (eBD)
- Next by Date: PHP Live Helper ASP(chat.php) XSS
- Previous by thread: Re: phpBB 2.0.20 Full Path Disclosure and SQL Errors
- Next by thread: Firefox 1.5.0.3 code execution exploit
- Index(es):
