Re: phpBB 2.0.20 Full Path Disclosure and SQL Errors

To: Maksymilian Arciemowicz <max@xxxxxxxxxxxx>
Subject: Re: phpBB 2.0.20 Full Path Disclosure and SQL Errors
From: Paul Laudanski <zx@xxxxxxxxxxxxxx>
Date: Tue, 9 May 2006 20:25:59 -0400 (EDT)
Cc: bugtraq@xxxxxxxxxxxxxxxxx
In-reply-to: <200605081230.39160.max@xxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

On Mon, 8 May 2006, Maksymilian Arciemowicz wrote:

> "Full Path Disclosure" isn't a risk but many systems of PHP or important 
> sites 
> are vulnerable to this issues. Of course it is possible to turn off 
> display_errors but it isn't changing the fact, that issues should not be. It 
> is typical "Full Path Disclosure". 
> Yesterday I received the confirmation from phpBB about the acceptance of 
> these 
> bug.
> PHP is a specific language and are many different possibilities to show full 
> path. I will public note about this bugs.

I don't disagree, but I do think path disclosure is not a big deal.  If 
you're running a website, the first thing you have to do is secure the 
daemons on it.  And that includes disabling the displaying of errors, 
disabling debugging, etc.

-- 
Paul Laudanski, Microsoft MVP Windows-Security
Submit Phish: http://castlecops.com/pirt
[de] http://de.castlecops.com
[en] http://castlecops.com
[wiki] http://wiki.castlecops.com
[family] http://cuddlesnkisses.com

References:
- Re: phpBB 2.0.20 Full Path Disclosure and SQL Errors
  - From: Maksymilian Arciemowicz

Prev by Date: Ipswitch WhatsUp Professional multiple flaws
Next by Date: Several flaws in e-business designer (eBD)
Previous by thread: Re: phpBB 2.0.20 Full Path Disclosure and SQL Errors
Next by thread: Firefox 1.5.0.3 code execution exploit
Index(es):
- Date
- Thread