lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200605081230.39160.max@jestsuper.pl>
Date: Mon, 8 May 2006 12:30:38 +0200
From: Maksymilian Arciemowicz <max@...tsuper.pl>
To: Paul Laudanski <zx@...tlecops.com>, bugtraq@...urityfocus.com
Subject: Re: phpBB 2.0.20 Full Path Disclosure and SQL Errors


On Monday 08 May 2006 04:49, you wrote:
> You state these problems exist at php.net and elsewhere, so why is the
> subject titled phpbb?  php.net even recommends that for production sites
> displaying of errors is discouraged.  I'm unsure how your report brings
> anything new as you specify the valid use of debug and displaying of
> errors which are already well known.

"Full Path Disclosure" isn't a risk but many systems of PHP or important sites 
are vulnerable to this issues. Of course it is possible to turn off 
display_errors but it isn't changing the fact, that issues should not be. It 
is typical "Full Path Disclosure". 
Yesterday I received the confirmation from phpBB about the acceptance of these 
bug.
PHP is a specific language and are many different possibilities to show full 
path. I will public note about this bugs.

-- 
pub   1024D/7FDF4CEE 2005-09-21
uid                  Maksymilian Arciemowicz (cXIb8O3) <max@...tsuper.pl>
sub   2048g/AE816DB6 2005-09-21
SecurityReason.Com [Europe]


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ