Full Disclosure mailing list archives
Re: Re: ZH2005-03SA -- multiple vulnerabilities in NukeBookmarks .6
From: Astharot <astharot () zone-h org>
Date: Thu, 31 Mar 2005 01:00:52 +0200
Paul Laudanski wrote...
I can understand how full path disclosure can be an issue, however, in a production environment the PHP settings to display errors ought to be disabled. As such, full path disclosure goes away.
That is true if the default table names are used. However it would be worth noting that with any web presence that uses a backend database, the prefix ought to be changed to something random and non-default. Does this completely solve the issue, of course not, but it can stop the script kiddy attacks. For more on this: http://unixwiz.net/techtips/sql-injection.html Thanks for the disclosure.
So, noone should publish any buffer overflow vulnerability... the stack protection in Windows SP2 and grsecurity can solve every problem... right? :) Buh! Greetings Gerardo Di Giacomo _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Re: ZH2005-03SA -- multiple vulnerabilities in NukeBookmarks .6 Astharot (Mar 31)