lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: msopacua at idg.nl (Melvyn Sopacua)
Subject: [SCSA-016] Multiple vulnerabilities in
  Ez publish

At 13:28 4/15/2003, Gregory Le Bras | Security Corporation wrote:

[ ... ]

>? Path Disclosure :
>
>You can fix the path disclosure problem by adding this code in
>all the affected files :
>
>-------CUT-------
>
>error_reporting(0);
>
>-------CUT-------

Yeah, that'll help - you won't even be able to get a log of errors, like
'unlink() failed', when somebody found a way to delete files.

Please use:
display_errors  = Off
log_errors = On
in your php.ini (should be so on production servers anyways).

Or in the code:
ini_set('display_errors', FALSE);
ini_set('log_errors', TRUE);

If this product (haven't looked at it), uses it's own error handler
routine and doesn't respect these settings, this is worth mentioning
explicitely and even better, provide a patch for the alternate
error handler.

It is hardly ever good advice to turn of error logging.


Met vriendelijke groeten / With kind regards,

Webmaster IDG.nl
Melvyn Sopacua

<@JE> Hosting: $5 per month. Domain name: $15, your site being down twice a 
week: Priceless.
http://www.bash.org/?42663

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ