Re: [SCSA-016] Multiple vulnerabilities in Ez publish

["Gregory Le Bras | Security Corporation" <gregory.lebras () security-corporation com>]

Here a log of errors :

Exploit : http://localhost/kernel/class/delete.php

Errors :

Warning: main(kernel/classes/ezcontentclass.php) [function.main]: failed to
create stream: No such file or directory in c:\program files\ez
systems\ezpublish\kernel\class\delete.php on line 36

Warning: main() [function.main]: Failed opening
'kernel/classes/ezcontentclass.php' for inclusion
(include_path='.;c:\php4\pear') in c:\program files\ez
systems\ezpublish\kernel\class\delete.php on line 36

Warning: main(lib/ezutils/classes/ezhttppersistence.php) [function.main]:
failed to create stream: No such file or directory in c:\program files\ez
systems\ezpublish\kernel\class\delete.php on line 37

Warning: main() [function.main]: Failed opening
'lib/ezutils/classes/ezhttppersistence.php' for inclusion
(include_path='.;c:\php4\pear') in c:\program files\ez
systems\ezpublish\kernel\class\delete.php on line 37

Warning: main(kernel/classes/ezcontentclassclassgroup.php) [function.main]:
failed to create stream: No such file or directory in c:\program files\ez
systems\ezpublish\kernel\class\delete.php on line 38

Warning: main() [function.main]: Failed opening
'kernel/classes/ezcontentclassclassgroup.php' for inclusion
(include_path='.;c:\php4\pear') in c:\program files\ez
systems\ezpublish\kernel\class\delete.php on line 38

Fatal error: Undefined class name 'ezcontentclass' in c:\program files\ez
systems\ezpublish\kernel\class\delete.php on line 49

Note that the php.ini file is not present in the installation by default of
Ez Publish, that is why I did not use
display_errors = Off
Log_errors = One.

Best Regards,

-------
Gregory LEBRAS
Chief Executive Officer
Security Corporation

www.security-corporation.com

----- Original Message -----
From: "Melvyn Sopacua" <msopacua () idg nl>
To: "Gregory Le Bras | Security Corporation"
<gregory.lebras () security-corporation com>
Cc: "Full Disclosure Mailing List" <full-disclosure () lists netsys com>
Sent: Tuesday, April 15, 2003 2:54 PM
Subject: Re: [Full-disclosure] [SCSA-016] Multiple vulnerabilities in Ez
publish


At 13:28 4/15/2003, Gregory Le Bras | Security Corporation wrote:

[ ... ]

> ¤ Path Disclosure :
>
> You can fix the path disclosure problem by adding this code in
> all the affected files :
>
> -------CUT-------
>
> error_reporting(0);
>
> -------CUT-------

Yeah, that'll help - you won't even be able to get a log of errors, like
'unlink() failed', when somebody found a way to delete files.

Please use:
display_errors  = Off
log_errors = On
in your php.ini (should be so on production servers anyways).

Or in the code:
ini_set('display_errors', FALSE);
ini_set('log_errors', TRUE);

If this product (haven't looked at it), uses it's own error handler
routine and doesn't respect these settings, this is worth mentioning
explicitely and even better, provide a patch for the alternate
error handler.

It is hardly ever good advice to turn of error logging.


Met vriendelijke groeten / With kind regards,

Webmaster IDG.nl
Melvyn Sopacua

<@JE> Hosting: $5 per month. Domain name: $15, your site being down twice a
week: Priceless.
http://www.bash.org/?42663



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html