Bugtraq mailing list archives
Re: phpBB 2.0.20 Full Path Disclosure and SQL Errors
From: Paul Laudanski <zx () castlecops com>
Date: Tue, 9 May 2006 20:25:59 -0400 (EDT)
On Mon, 8 May 2006, Maksymilian Arciemowicz wrote:
"Full Path Disclosure" isn't a risk but many systems of PHP or important sites are vulnerable to this issues. Of course it is possible to turn off display_errors but it isn't changing the fact, that issues should not be. It is typical "Full Path Disclosure". Yesterday I received the confirmation from phpBB about the acceptance of these bug. PHP is a specific language and are many different possibilities to show full path. I will public note about this bugs.
I don't disagree, but I do think path disclosure is not a big deal. If you're running a website, the first thing you have to do is secure the daemons on it. And that includes disabling the displaying of errors, disabling debugging, etc. -- Paul Laudanski, Microsoft MVP Windows-Security Submit Phish: http://castlecops.com/pirt [de] http://de.castlecops.com [en] http://castlecops.com [wiki] http://wiki.castlecops.com [family] http://cuddlesnkisses.com
Current thread:
- phpBB 2.0.20 Full Path Disclosure and SQL Errors cxib (May 06)
- Re: phpBB 2.0.20 Full Path Disclosure and SQL Errors Paul Laudanski (May 10)
- Re: phpBB 2.0.20 Full Path Disclosure and SQL Errors Maksymilian Arciemowicz (May 10)
- Re: phpBB 2.0.20 Full Path Disclosure and SQL Errors Paul Laudanski (May 12)
- Re: phpBB 2.0.20 Full Path Disclosure and SQL Errors Maksymilian Arciemowicz (May 10)
- Re: phpBB 2.0.20 Full Path Disclosure and SQL Errors Paul Laudanski (May 10)