<<< Date Index >>>     <<< Thread Index >>>

Re: phpBB 2.0.20 Full Path Disclosure and SQL Errors



On Monday 08 May 2006 04:49, you wrote:
> You state these problems exist at php.net and elsewhere, so why is the
> subject titled phpbb?  php.net even recommends that for production sites
> displaying of errors is discouraged.  I'm unsure how your report brings
> anything new as you specify the valid use of debug and displaying of
> errors which are already well known.

"Full Path Disclosure" isn't a risk but many systems of PHP or important sites 
are vulnerable to this issues. Of course it is possible to turn off 
display_errors but it isn't changing the fact, that issues should not be. It 
is typical "Full Path Disclosure". 
Yesterday I received the confirmation from phpBB about the acceptance of these 
bug.
PHP is a specific language and are many different possibilities to show full 
path. I will public note about this bugs.

-- 
pub   1024D/7FDF4CEE 2005-09-21
uid                  Maksymilian Arciemowicz (cXIb8O3) <max@xxxxxxxxxxxx>
sub   2048g/AE816DB6 2005-09-21
SecurityReason.Com [Europe]