On Monday 08 May 2006 04:49, you wrote:
> You state these problems exist at php.net and elsewhere, so why is the
> subject titled phpbb? Â php.net even recommends that for production sites
> displaying of errors is discouraged. Â I'm unsure how your report brings
> anything new as you specify the valid use of debug and displaying of
> errors which are already well known.
"Full Path Disclosure" isn't a risk but many systems of PHP or important sites
are vulnerable to this issues. Of course it is possible to turn off
display_errors but it isn't changing the fact, that issues should not be. It
is typical "Full Path Disclosure".
Yesterday I received the confirmation from phpBB about the acceptance of these
bug.
PHP is a specific language and are many different possibilities to show full
path. I will public note about this bugs.
> You state these problems exist at php.net and elsewhere, so why is the
> subject titled phpbb? Â php.net even recommends that for production sites
> displaying of errors is discouraged. Â I'm unsure how your report brings
> anything new as you specify the valid use of debug and displaying of
> errors which are already well known.
"Full Path Disclosure" isn't a risk but many systems of PHP or important sites
are vulnerable to this issues. Of course it is possible to turn off
display_errors but it isn't changing the fact, that issues should not be. It
is typical "Full Path Disclosure".
Yesterday I received the confirmation from phpBB about the acceptance of these
bug.
PHP is a specific language and are many different possibilities to show full
path. I will public note about this bugs.
--
pub 1024D/7FDF4CEE 2005-09-21
uid Maksymilian Arciemowicz (cXIb8O3) <max (at) jestsuper (dot) pl [email concealed]>
sub 2048g/AE816DB6 2005-09-21
SecurityReason.Com [Europe]
[ reply ]