Re: Fw: PHPNuke 5.4 Path Disclosure Vulnerability?

[Dylan Reeve <dylan () wibble net>]

On Wed, 20 Mar 2002, godminus wrote:

> The vendor was contacted on the 9th of March, 2002, and did not reply

> > The error would be something like:

> > Fatal error: Cannot redeclare theindex() in
> > /var/www_servers/w00/w308vs1701/docs/csleague.israel.net/index.php on line
> > 7

This is what a standard error or warning in PHP looks like, providing that
the error reporting is set to output errors on the pages (which is a good
thing to turn off in production sites for presentation reasons).

Path disclosures like this are likely to appear in very many PHP scripts
when errors are encountered (and are easy to produce in most programs by
messing with query strings).

Ideally, once a script is in production and displayed messages are no
longer needed for debugging, they should be disabled.

To avoid this one of the following things can be done:

1) Set "display_errors" to off in php.ini or with "php_flag display_errors
off" in .htaccess or in an http conf file.

2) Use PHP's error handling functions to disable error reporting or alter
the handling (to email an admin for example, and display a less explicit
error).

Reference:
  PHP Manual: Configuration -
  http://www.php.net/manual/en/configuration.php

  PHP Manual: Error Handling -
  http://www.php.net/manual/en/ref.errorfunc.php

-- 
Dylan Reeve - dylan () wibble net
It's just not cricket.