| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 12 Aug 2005 11:51:57 -0700 From: kato <gentoo@...enshade.com> To: bugtraq@...urityfocus.com Subject: Re: Xoops 2.2.1 Full Path Disclosure [sorry for the truncated post... stupid. fat. fingers.] Man, I hate when people put this crap in as a bug in the software. From the PHP.ini file: ----------------- ; Print out errors (as a part of the output). For production web sites, ; you're strongly encouraged to turn this feature off, and use error logging ; instead (see below). Keeping display_errors enabled on a production web site ; may reveal security information to end users, such as file paths on your Web ; server, your database schema or other information. display_errors = On ------------------ There are clearly some issues to address in the XOOPS pages pointed out; no doubt there are some bugs to correct. However, a path disclosure error in PHP is not an issue on a system which is configured for production (unless it comes directly from the software and not the PHP error reporting logic). I understand the concern with path disclosure errors. However, it sounds a little too much like our excuse making industry is kicking in when we start blaming software for not fixing improperly configured systems. none@...e.com wrote: >Xoops 2.2.1 Full Path Disclosure !!! > >http://[target]/include/registerform.php >[code] >Warning: main(XOOPS_ROOT_PATH/class/xoopslists.php): failed to open stream: No such file or directory in /home/public_html/site/include/registerform.php on line 28 > >Warning: main(): Failed opening 'XOOPS_ROOT_PATH/class/xoopslists.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/public_html/site/include/registerform.php on line 28 > >Warning: main(XOOPS_ROOT_PATH/class/xoopsformloader.php): failed to open stream: No such file or directory in /home/public_html/site/include/registerform.php on line 29 > >Warning: main(): Failed opening 'XOOPS_ROOT_PATH/class/xoopsformloader.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/public_html/site/include/registerform.php on line 29 > >Fatal error: Cannot instantiate non-existent class: xoopsformelementtray in /home/public_html/site/include/registerform.php on line 32 >[/code] > >http://[target]/include/commentform.inc.php > >[code] >Warning: main(XOOPS_ROOT_PATH/class/xoopslists.php): failed to open stream: No such file or directory in /home/public_html/site/include/commentform.inc.php on line 28 > >Warning: main(): Failed opening 'XOOPS_ROOT_PATH/class/xoopslists.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/public_html/site/include/commentform.inc.php on line 28 > >Warning: main(XOOPS_ROOT_PATH/class/xoopsformloader.php): failed to open stream: No such file or directory in /home/public_html/site/include/commentform.inc.php on line 29 > >Warning: main(XOOPS_ROOT_PATH/class/xoopsformloader.php): failed to open stream: No such file or directory in /home/public_html/site/include/commentform.inc.php on line 29 > >Warning: main(): Failed opening 'XOOPS_ROOT_PATH/class/xoopsformloader.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/public_html/site/include/commentform.inc.php on line 29 > >Fatal error: Cannot instantiate non-existent class: xoopsthemeform in /home/public_html/site/include/commentform.inc.php on line 30 >[/code] > >http://[target]/include/searchform.php > >[code] >Warning: main(XOOPS_ROOT_PATH/class/xoopsformloader.php): failed to open stream: No such file or directory in /home/public_html/site/include/searchform.php on line 27 > >Warning: main(): Failed opening 'XOOPS_ROOT_PATH/class/xoopsformloader.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/public_html/site/include/searchform.php on line 27 > >Fatal error: Cannot instantiate non-existent class: xoopsthemeform in /home/public_html/site/include/searchform.php on line 30 >[/code] > >And also: >http://[target]/modules/contact/contactform.php > > >
Powered by blists - more mailing lists