| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 8 May 2006 12:30:38 +0200 From: Maksymilian Arciemowicz <max@...tsuper.pl> To: Paul Laudanski <zx@...tlecops.com>, bugtraq@...urityfocus.com Subject: Re: phpBB 2.0.20 Full Path Disclosure and SQL Errors On Monday 08 May 2006 04:49, you wrote: > You state these problems exist at php.net and elsewhere, so why is the > subject titled phpbb? php.net even recommends that for production sites > displaying of errors is discouraged. I'm unsure how your report brings > anything new as you specify the valid use of debug and displaying of > errors which are already well known. "Full Path Disclosure" isn't a risk but many systems of PHP or important sites are vulnerable to this issues. Of course it is possible to turn off display_errors but it isn't changing the fact, that issues should not be. It is typical "Full Path Disclosure". Yesterday I received the confirmation from phpBB about the acceptance of these bug. PHP is a specific language and are many different possibilities to show full path. I will public note about this bugs. -- pub 1024D/7FDF4CEE 2005-09-21 uid Maksymilian Arciemowicz (cXIb8O3) <max@...tsuper.pl> sub 2048g/AE816DB6 2005-09-21 SecurityReason.Com [Europe]
Powered by blists - more mailing lists