<<< Date Index >>>     <<< Thread Index >>>

Re: DotClear Full Path Disclosure Vulnerability



They should check that a certain variable is defined for example, and if not, do not display anything... even if the hosted website is configured to display errors, and you cannot change this.

Exactly my point: you may not have the choice of your PHP configuration.

I said I agreed with you. But you can use secure software (or modify the unsecure ones you have), so that they don't enable a full path disclosure, even if you don't have the choice of your PHP configuration! Can't you? ;)

Note that checking a variable is set may note be the best solution as
attacker can provide it as well ;)

I said "for example", as I know this is how MediaWiki does:

if ( ! defined( 'MEDIAWIKI' ) )
    die( 1 );

How would you do it?