Re: Xoops 2.2.1 Full Path Disclosure

[kato <gentoo () havenshade com>]

[sorry for the truncated post... stupid. fat. fingers.]

Man, I hate when people put this crap in as a bug in the software.  From 
the PHP.ini file:
-----------------
; Print out errors (as a part of the output).  For production web sites,
; you're strongly encouraged to turn this feature off, and use error logging
; instead (see below).  Keeping display_errors enabled on a production 
web site
; may reveal security information to end users, such as file paths on 
your Web
; server, your database schema or other information.
display_errors = On
------------------

There are clearly some issues to address in the XOOPS pages pointed out; 
no doubt there are some bugs to correct.

However, a path disclosure error in PHP is not an issue on a system 
which is configured for production (unless it comes directly from the 
software and not the PHP error reporting logic).

I understand the concern with path disclosure errors.  However, it 
sounds a little too much like our excuse making industry is kicking in 
when we start blaming software for not fixing improperly configured systems.

none () none com wrote:

> Xoops 2.2.1 Full Path Disclosure !!!
>
> http://[target]/include/registerform.php
> [code]
> Warning: main(XOOPS_ROOT_PATH/class/xoopslists.php): failed to open stream: No such file or directory in 
> /home/public_html/site/include/registerform.php on line 28
>
> Warning: main(): Failed opening 'XOOPS_ROOT_PATH/class/xoopslists.php' for inclusion 
> (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/public_html/site/include/registerform.php on line 28
>
> Warning: main(XOOPS_ROOT_PATH/class/xoopsformloader.php): failed to open stream: No such file or directory in 
> /home/public_html/site/include/registerform.php on line 29
>
> Warning: main(): Failed opening 'XOOPS_ROOT_PATH/class/xoopsformloader.php' for inclusion 
> (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/public_html/site/include/registerform.php on line 29
>
> Fatal error: Cannot instantiate non-existent class: xoopsformelementtray in 
> /home/public_html/site/include/registerform.php on line 32
> [/code]
>
> http://[target]/include/commentform.inc.php
>
> [code]
> Warning: main(XOOPS_ROOT_PATH/class/xoopslists.php): failed to open stream: No such file or directory in 
> /home/public_html/site/include/commentform.inc.php on line 28
>
> Warning: main(): Failed opening 'XOOPS_ROOT_PATH/class/xoopslists.php' for inclusion 
> (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/public_html/site/include/commentform.inc.php on line 28
>
> Warning: main(XOOPS_ROOT_PATH/class/xoopsformloader.php): failed to open stream: No such file or directory in 
> /home/public_html/site/include/commentform.inc.php on line 29
>
> Warning: main(XOOPS_ROOT_PATH/class/xoopsformloader.php): failed to open stream: No such file or directory in 
> /home/public_html/site/include/commentform.inc.php on line 29
>
> Warning: main(): Failed opening 'XOOPS_ROOT_PATH/class/xoopsformloader.php' for inclusion 
> (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/public_html/site/include/commentform.inc.php on line 29
>
> Fatal error: Cannot instantiate non-existent class: xoopsthemeform in 
> /home/public_html/site/include/commentform.inc.php on line 30
> [/code]
>
> http://[target]/include/searchform.php
>
> [code]
> Warning: main(XOOPS_ROOT_PATH/class/xoopsformloader.php): failed to open stream: No such file or directory in 
> /home/public_html/site/include/searchform.php on line 27
>
> Warning: main(): Failed opening 'XOOPS_ROOT_PATH/class/xoopsformloader.php' for inclusion 
> (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/public_html/site/include/searchform.php on line 27
>
> Fatal error: Cannot instantiate non-existent class: xoopsthemeform in /home/public_html/site/include/searchform.php on 
> line 30
> [/code]
>
> And also:
> http://[target]/modules/contact/contactform.php
>
>