Full Disclosure mailing list archives
Re: [SCSA-016] Multiple vulnerabilities in Ez publish
From: Melvyn Sopacua <msopacua () idg nl>
Date: Tue, 15 Apr 2003 14:54:00 +0200
At 13:28 4/15/2003, Gregory Le Bras | Security Corporation wrote: [ ... ]
ยค Path Disclosure : You can fix the path disclosure problem by adding this code in all the affected files : -------CUT------- error_reporting(0); -------CUT-------
Yeah, that'll help - you won't even be able to get a log of errors, like 'unlink() failed', when somebody found a way to delete files. Please use: display_errors = Off log_errors = On in your php.ini (should be so on production servers anyways). Or in the code: ini_set('display_errors', FALSE); ini_set('log_errors', TRUE); If this product (haven't looked at it), uses it's own error handler routine and doesn't respect these settings, this is worth mentioning explicitely and even better, provide a patch for the alternate error handler. It is hardly ever good advice to turn of error logging. Met vriendelijke groeten / With kind regards, Webmaster IDG.nl Melvyn Sopacua<@JE> Hosting: $5 per month. Domain name: $15, your site being down twice a week: Priceless.
http://www.bash.org/?42663 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- [SCSA-016] Multiple vulnerabilities in Ez publish Gregory Le Bras | Security Corporation (Apr 15)
- Re: [SCSA-016] Multiple vulnerabilities in Ez publish Melvyn Sopacua (Apr 15)
- Re: [SCSA-016] Multiple vulnerabilities in Ez publish Gregory Le Bras | Security Corporation (Apr 15)
- Re: [SCSA-016] Multiple vulnerabilities in Ez publish Melvyn Sopacua (Apr 15)