Full Disclosure mailing list archives
Re: [SCSA-016] Multiple vulnerabilities in Ez publish
From: Melvyn Sopacua <msopacua () idg nl>
Date: Tue, 15 Apr 2003 14:54:00 +0200
At 13:28 4/15/2003, Gregory Le Bras | Security Corporation wrote: [ ... ]
ยค Path Disclosure : You can fix the path disclosure problem by adding this code in all the affected files : -------CUT------- error_reporting(0); -------CUT-------
Yeah, that'll help - you won't even be able to get a log of errors, like
'unlink() failed', when somebody found a way to delete files.
Please use:
display_errors = Off
log_errors = On
in your php.ini (should be so on production servers anyways).
Or in the code:
ini_set('display_errors', FALSE);
ini_set('log_errors', TRUE);
If this product (haven't looked at it), uses it's own error handler
routine and doesn't respect these settings, this is worth mentioning
explicitely and even better, provide a patch for the alternate
error handler.
It is hardly ever good advice to turn of error logging.
Met vriendelijke groeten / With kind regards,
Webmaster IDG.nl
Melvyn Sopacua
<@JE> Hosting: $5 per month. Domain name: $15, your site being down twice a
week: Priceless.
http://www.bash.org/?42663 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- [SCSA-016] Multiple vulnerabilities in Ez publish Gregory Le Bras | Security Corporation (Apr 15)
- Re: [SCSA-016] Multiple vulnerabilities in Ez publish Melvyn Sopacua (Apr 15)
- Re: [SCSA-016] Multiple vulnerabilities in Ez publish Gregory Le Bras | Security Corporation (Apr 15)
- Re: [SCSA-016] Multiple vulnerabilities in Ez publish Melvyn Sopacua (Apr 15)