[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: phpBB 2.0.20 Full Path Disclosure and SQL Errors

To: Paul Laudanski <zx@xxxxxxxxxxxxxx>, bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: phpBB 2.0.20 Full Path Disclosure and SQL Errors
From: Maksymilian Arciemowicz <max@xxxxxxxxxxxx>
Date: Mon, 8 May 2006 12:30:38 +0200

On Monday 08 May 2006 04:49, you wrote:
> You state these problems exist at php.net and elsewhere, so why is the
> subject titled phpbb?  php.net even recommends that for production sites
> displaying of errors is discouraged.  I'm unsure how your report brings
> anything new as you specify the valid use of debug and displaying of
> errors which are already well known.

"Full Path Disclosure" isn't a risk but many systems of PHP or important sites 
are vulnerable to this issues. Of course it is possible to turn off 
display_errors but it isn't changing the fact, that issues should not be. It 
is typical "Full Path Disclosure". 
Yesterday I received the confirmation from phpBB about the acceptance of these 
bug.
PHP is a specific language and are many different possibilities to show full 
path. I will public note about this bugs.

-- 
pub   1024D/7FDF4CEE 2005-09-21
uid                  Maksymilian Arciemowicz (cXIb8O3) <max@xxxxxxxxxxxx>
sub   2048g/AE816DB6 2005-09-21
SecurityReason.Com [Europe]

Follow-Ups:
- Re: phpBB 2.0.20 Full Path Disclosure and SQL Errors
  - From: Paul Laudanski

References:
- Re: phpBB 2.0.20 Full Path Disclosure and SQL Errors
  - From: Paul Laudanski

Prev by Date: Re: Milliscript 1.4 Multiple Vulnerabilities
Next by Date: Re: Firefox 1.5.0.3 code execution exploit
Previous by thread: Re: phpBB 2.0.20 Full Path Disclosure and SQL Errors
Next by thread: Re: phpBB 2.0.20 Full Path Disclosure and SQL Errors
Index(es):
- Date
- Thread