[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200605081230.39160.max@jestsuper.pl>
Date: Mon, 8 May 2006 12:30:38 +0200
From: Maksymilian Arciemowicz <max@...tsuper.pl>
To: Paul Laudanski <zx@...tlecops.com>, bugtraq@...urityfocus.com
Subject: Re: phpBB 2.0.20 Full Path Disclosure and SQL Errors
On Monday 08 May 2006 04:49, you wrote:
> You state these problems exist at php.net and elsewhere, so why is the
> subject titled phpbb? php.net even recommends that for production sites
> displaying of errors is discouraged. I'm unsure how your report brings
> anything new as you specify the valid use of debug and displaying of
> errors which are already well known.
"Full Path Disclosure" isn't a risk but many systems of PHP or important sites
are vulnerable to this issues. Of course it is possible to turn off
display_errors but it isn't changing the fact, that issues should not be. It
is typical "Full Path Disclosure".
Yesterday I received the confirmation from phpBB about the acceptance of these
bug.
PHP is a specific language and are many different possibilities to show full
path. I will public note about this bugs.
--
pub 1024D/7FDF4CEE 2005-09-21
uid Maksymilian Arciemowicz (cXIb8O3) <max@...tsuper.pl>
sub 2048g/AE816DB6 2005-09-21
SecurityReason.Com [Europe]
Powered by blists - more mailing lists