[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <42FCEFCD.4080604@havenshade.com>
Date: Fri, 12 Aug 2005 11:51:57 -0700
From: kato <gentoo@...enshade.com>
To: bugtraq@...urityfocus.com
Subject: Re: Xoops 2.2.1 Full Path Disclosure
[sorry for the truncated post... stupid. fat. fingers.]
Man, I hate when people put this crap in as a bug in the software. From
the PHP.ini file:
-----------------
; Print out errors (as a part of the output). For production web sites,
; you're strongly encouraged to turn this feature off, and use error logging
; instead (see below). Keeping display_errors enabled on a production
web site
; may reveal security information to end users, such as file paths on
your Web
; server, your database schema or other information.
display_errors = On
------------------
There are clearly some issues to address in the XOOPS pages pointed out;
no doubt there are some bugs to correct.
However, a path disclosure error in PHP is not an issue on a system
which is configured for production (unless it comes directly from the
software and not the PHP error reporting logic).
I understand the concern with path disclosure errors. However, it
sounds a little too much like our excuse making industry is kicking in
when we start blaming software for not fixing improperly configured systems.
none@...e.com wrote:
>Xoops 2.2.1 Full Path Disclosure !!!
>
>http://[target]/include/registerform.php
>[code]
>Warning: main(XOOPS_ROOT_PATH/class/xoopslists.php): failed to open stream: No such file or directory in /home/public_html/site/include/registerform.php on line 28
>
>Warning: main(): Failed opening 'XOOPS_ROOT_PATH/class/xoopslists.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/public_html/site/include/registerform.php on line 28
>
>Warning: main(XOOPS_ROOT_PATH/class/xoopsformloader.php): failed to open stream: No such file or directory in /home/public_html/site/include/registerform.php on line 29
>
>Warning: main(): Failed opening 'XOOPS_ROOT_PATH/class/xoopsformloader.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/public_html/site/include/registerform.php on line 29
>
>Fatal error: Cannot instantiate non-existent class: xoopsformelementtray in /home/public_html/site/include/registerform.php on line 32
>[/code]
>
>http://[target]/include/commentform.inc.php
>
>[code]
>Warning: main(XOOPS_ROOT_PATH/class/xoopslists.php): failed to open stream: No such file or directory in /home/public_html/site/include/commentform.inc.php on line 28
>
>Warning: main(): Failed opening 'XOOPS_ROOT_PATH/class/xoopslists.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/public_html/site/include/commentform.inc.php on line 28
>
>Warning: main(XOOPS_ROOT_PATH/class/xoopsformloader.php): failed to open stream: No such file or directory in /home/public_html/site/include/commentform.inc.php on line 29
>
>Warning: main(XOOPS_ROOT_PATH/class/xoopsformloader.php): failed to open stream: No such file or directory in /home/public_html/site/include/commentform.inc.php on line 29
>
>Warning: main(): Failed opening 'XOOPS_ROOT_PATH/class/xoopsformloader.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/public_html/site/include/commentform.inc.php on line 29
>
>Fatal error: Cannot instantiate non-existent class: xoopsthemeform in /home/public_html/site/include/commentform.inc.php on line 30
>[/code]
>
>http://[target]/include/searchform.php
>
>[code]
>Warning: main(XOOPS_ROOT_PATH/class/xoopsformloader.php): failed to open stream: No such file or directory in /home/public_html/site/include/searchform.php on line 27
>
>Warning: main(): Failed opening 'XOOPS_ROOT_PATH/class/xoopsformloader.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/public_html/site/include/searchform.php on line 27
>
>Fatal error: Cannot instantiate non-existent class: xoopsthemeform in /home/public_html/site/include/searchform.php on line 30
>[/code]
>
>And also:
>http://[target]/modules/contact/contactform.php
>
>
>
Powered by blists - more mailing lists