| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Pine.LNX.4.44.0605092024430.19197-100000@bugsbunny.castlecops.com> Date: Tue, 9 May 2006 20:25:59 -0400 (EDT) From: Paul Laudanski <zx@...tlecops.com> To: Maksymilian Arciemowicz <max@...tsuper.pl> Cc: bugtraq@...urityfocus.com Subject: Re: phpBB 2.0.20 Full Path Disclosure and SQL Errors On Mon, 8 May 2006, Maksymilian Arciemowicz wrote: > "Full Path Disclosure" isn't a risk but many systems of PHP or important sites > are vulnerable to this issues. Of course it is possible to turn off > display_errors but it isn't changing the fact, that issues should not be. It > is typical "Full Path Disclosure". > Yesterday I received the confirmation from phpBB about the acceptance of these > bug. > PHP is a specific language and are many different possibilities to show full > path. I will public note about this bugs. I don't disagree, but I do think path disclosure is not a big deal. If you're running a website, the first thing you have to do is secure the daemons on it. And that includes disabling the displaying of errors, disabling debugging, etc. -- Paul Laudanski, Microsoft MVP Windows-Security Submit Phish: http://castlecops.com/pirt [de] http://de.castlecops.com [en] http://castlecops.com [wiki] http://wiki.castlecops.com [family] http://cuddlesnkisses.com
Powered by blists - more mailing lists