[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <5.1.0.14.2.20030415144539.05fce3c8@yoshimo.webtechs.idg.nl>
From: msopacua at idg.nl (Melvyn Sopacua)
Subject: [SCSA-016] Multiple vulnerabilities in
Ez publish
At 13:28 4/15/2003, Gregory Le Bras | Security Corporation wrote:
[ ... ]
>? Path Disclosure :
>
>You can fix the path disclosure problem by adding this code in
>all the affected files :
>
>-------CUT-------
>
>error_reporting(0);
>
>-------CUT-------
Yeah, that'll help - you won't even be able to get a log of errors, like
'unlink() failed', when somebody found a way to delete files.
Please use:
display_errors = Off
log_errors = On
in your php.ini (should be so on production servers anyways).
Or in the code:
ini_set('display_errors', FALSE);
ini_set('log_errors', TRUE);
If this product (haven't looked at it), uses it's own error handler
routine and doesn't respect these settings, this is worth mentioning
explicitely and even better, provide a patch for the alternate
error handler.
It is hardly ever good advice to turn of error logging.
Met vriendelijke groeten / With kind regards,
Webmaster IDG.nl
Melvyn Sopacua
<@JE> Hosting: $5 per month. Domain name: $15, your site being down twice a
week: Priceless.
http://www.bash.org/?42663
Powered by blists - more mailing lists