lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Tue, 9 May 2006 20:25:59 -0400 (EDT)
From: Paul Laudanski <zx@...tlecops.com>
To: Maksymilian Arciemowicz <max@...tsuper.pl>
Cc: bugtraq@...urityfocus.com
Subject: Re: phpBB 2.0.20 Full Path Disclosure and SQL Errors


On Mon, 8 May 2006, Maksymilian Arciemowicz wrote:

> "Full Path Disclosure" isn't a risk but many systems of PHP or important sites 
> are vulnerable to this issues. Of course it is possible to turn off 
> display_errors but it isn't changing the fact, that issues should not be. It 
> is typical "Full Path Disclosure". 
> Yesterday I received the confirmation from phpBB about the acceptance of these 
> bug.
> PHP is a specific language and are many different possibilities to show full 
> path. I will public note about this bugs.

I don't disagree, but I do think path disclosure is not a big deal.  If 
you're running a website, the first thing you have to do is secure the 
daemons on it.  And that includes disabling the displaying of errors, 
disabling debugging, etc.

-- 
Paul Laudanski, Microsoft MVP Windows-Security
Submit Phish: http://castlecops.com/pirt
[de] http://de.castlecops.com
[en] http://castlecops.com
[wiki] http://wiki.castlecops.com
[family] http://cuddlesnkisses.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ