BugTraq
Xoops 2.2.1 Full Path Disclosure Aug 12 2005 07:16AM
none none com (1 replies)
Re: Xoops 2.2.1 Full Path Disclosure Aug 12 2005 06:51PM
kato (gentoo havenshade com)
[sorry for the truncated post... stupid. fat. fingers.]

Man, I hate when people put this crap in as a bug in the software. From
the PHP.ini file:
-----------------
; Print out errors (as a part of the output). For production web sites,
; you're strongly encouraged to turn this feature off, and use error logging
; instead (see below). Keeping display_errors enabled on a production
web site
; may reveal security information to end users, such as file paths on
your Web
; server, your database schema or other information.
display_errors = On
------------------

There are clearly some issues to address in the XOOPS pages pointed out;
no doubt there are some bugs to correct.

However, a path disclosure error in PHP is not an issue on a system
which is configured for production (unless it comes directly from the
software and not the PHP error reporting logic).

I understand the concern with path disclosure errors. However, it
sounds a little too much like our excuse making industry is kicking in
when we start blaming software for not fixing improperly configured systems.

none (at) none (dot) com [email concealed] wrote:

>Xoops 2.2.1 Full Path Disclosure !!!
>
>http://[target]/include/registerform.php
>[code]
>Warning: main(XOOPS_ROOT_PATH/class/xoopslists.php): failed to open stream: No such file or directory in /home/public_html/site/include/registerform.php on line 28
>
>Warning: main(): Failed opening 'XOOPS_ROOT_PATH/class/xoopslists.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/public_html/site/include/registerform.php on line 28
>
>Warning: main(XOOPS_ROOT_PATH/class/xoopsformloader.php): failed to open stream: No such file or directory in /home/public_html/site/include/registerform.php on line 29
>
>Warning: main(): Failed opening 'XOOPS_ROOT_PATH/class/xoopsformloader.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/public_html/site/include/registerform.php on line 29
>
>Fatal error: Cannot instantiate non-existent class: xoopsformelementtray in /home/public_html/site/include/registerform.php on line 32
>[/code]
>
>http://[target]/include/commentform.inc.php
>
>[code]
>Warning: main(XOOPS_ROOT_PATH/class/xoopslists.php): failed to open stream: No such file or directory in /home/public_html/site/include/commentform.inc.php on line 28
>
>Warning: main(): Failed opening 'XOOPS_ROOT_PATH/class/xoopslists.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/public_html/site/include/commentform.inc.php on line 28
>
>Warning: main(XOOPS_ROOT_PATH/class/xoopsformloader.php): failed to open stream: No such file or directory in /home/public_html/site/include/commentform.inc.php on line 29
>
>Warning: main(XOOPS_ROOT_PATH/class/xoopsformloader.php): failed to open stream: No such file or directory in /home/public_html/site/include/commentform.inc.php on line 29
>
>Warning: main(): Failed opening 'XOOPS_ROOT_PATH/class/xoopsformloader.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/public_html/site/include/commentform.inc.php on line 29
>
>Fatal error: Cannot instantiate non-existent class: xoopsthemeform in /home/public_html/site/include/commentform.inc.php on line 30
>[/code]
>
>http://[target]/include/searchform.php
>
>[code]
>Warning: main(XOOPS_ROOT_PATH/class/xoopsformloader.php): failed to open stream: No such file or directory in /home/public_html/site/include/searchform.php on line 27
>
>Warning: main(): Failed opening 'XOOPS_ROOT_PATH/class/xoopsformloader.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/public_html/site/include/searchform.php on line 27
>
>Fatal error: Cannot instantiate non-existent class: xoopsthemeform in /home/public_html/site/include/searchform.php on line 30
>[/code]
>
>And also:
>http://[target]/modules/contact/contactform.php
>
>
>

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus