Bugtraq mailing list archives
Re: DotClear Full Path Disclosure Vulnerability
From: Cedric Blancher <blancher () cartel-securite fr>
Date: Tue, 13 Feb 2007 06:47:31 +0100
Le lundi 12 février 2007 à 22:51 +0100, Raphaël HUCK a écrit :
They should check that a certain variable is defined for example, and if not, do not display anything... even if the hosted website is configured to display errors, and you cannot change this.
Exactly my point: you may not have the choice of your PHP configuration. Note that checking a variable is set may note be the best solution as attacker can provide it as well ;) -- http://sid.rstack.org/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
Hi! I'm your friendly neighbourhood signature virus. Copy me to your signature file and help me spread!
Current thread:
- DotClear Full Path Disclosure Vulnerability raphael . huck (Feb 12)
- Re: DotClear Full Path Disclosure Vulnerability Cedric Blancher (Feb 13)
- Re: DotClear Full Path Disclosure Vulnerability Raphaël HUCK (Feb 13)
- Re: DotClear Full Path Disclosure Vulnerability Cedric Blancher (Feb 13)
- Re: DotClear Full Path Disclosure Vulnerability Raphaël HUCK (Feb 13)
- Re: DotClear Full Path Disclosure Vulnerability Cedric Blancher (Feb 13)
- Re: DotClear Full Path Disclosure Vulnerability Gmail account (Feb 13)
- Re: DotClear Full Path Disclosure Vulnerability Raphaël HUCK (Feb 14)
- Re: DotClear Full Path Disclosure Vulnerability Cedric Blancher (Feb 14)
- Re: DotClear Full Path Disclosure Vulnerability Raphaël HUCK (Feb 13)
- Re: DotClear Full Path Disclosure Vulnerability Cedric Blancher (Feb 13)