Bugtraq mailing list archives
Re: phpBB 2.0.20 Full Path Disclosure and SQL Errors
From: Maksymilian Arciemowicz <max () jestsuper pl>
Date: Mon, 8 May 2006 12:30:38 +0200
On Monday 08 May 2006 04:49, you wrote:
You state these problems exist at php.net and elsewhere, so why is the subject titled phpbb? php.net even recommends that for production sites displaying of errors is discouraged. I'm unsure how your report brings anything new as you specify the valid use of debug and displaying of errors which are already well known.
"Full Path Disclosure" isn't a risk but many systems of PHP or important sites are vulnerable to this issues. Of course it is possible to turn off display_errors but it isn't changing the fact, that issues should not be. It is typical "Full Path Disclosure". Yesterday I received the confirmation from phpBB about the acceptance of these bug. PHP is a specific language and are many different possibilities to show full path. I will public note about this bugs. -- pub 1024D/7FDF4CEE 2005-09-21 uid Maksymilian Arciemowicz (cXIb8O3) <max () jestsuper pl> sub 2048g/AE816DB6 2005-09-21 SecurityReason.Com [Europe]
Current thread:
- phpBB 2.0.20 Full Path Disclosure and SQL Errors cxib (May 06)
- Re: phpBB 2.0.20 Full Path Disclosure and SQL Errors Paul Laudanski (May 10)
- Re: phpBB 2.0.20 Full Path Disclosure and SQL Errors Maksymilian Arciemowicz (May 10)
- Re: phpBB 2.0.20 Full Path Disclosure and SQL Errors Paul Laudanski (May 12)
- Re: phpBB 2.0.20 Full Path Disclosure and SQL Errors Maksymilian Arciemowicz (May 10)
- Re: phpBB 2.0.20 Full Path Disclosure and SQL Errors Paul Laudanski (May 10)