This full-path disclosure showed up on BugTraq a couple hours ago. Just in case you missed it, you can find a copy here:
http://www.securityfocus.com/archive/1/419706/30/0/threaded
-- Chris Largret http://daga.dyndns.org
Chris Largret wrote:
This full-path disclosure showed up on BugTraq a couple hours ago. Just in case you missed it, you can find a copy here:
http://www.securityfocus.com/archive/1/419706/30/0/threaded
-- Chris Largret http://daga.dyndns.org
Wow, a PHP warning in a piece of alpha software when tampering with the request string. Sound the alarm bells, we have full path disclosure.!
A real reason to post on Bugtraq rightaway and not informing this list first :)
Jasper
Chris Largret wrote:
This full-path disclosure showed up on BugTraq a couple hours ago. Just in case you missed it, you can find a copy here:
http://www.securityfocus.com/archive/1/419706/30/0/threaded
-- Chris Largret http://daga.dyndns.org
And an appropriate analysis posted as a follow up:
http://www.securityfocus.com/archive/1/419710/30/0/threaded
Not at all surprising as already said.
On Sun, 2005-12-18 at 00:19 +0100, Jasper Slits wrote:
Chris Largret wrote:
This full-path disclosure showed up on BugTraq a couple hours ago. Just in case you missed it, you can find a copy here:
Wow, a PHP warning in a piece of alpha software when tampering with the request string. Sound the alarm bells, we have full path disclosure.!
A real reason to post on Bugtraq rightaway and not informing this list first :)
Hehe... that was the reason I had originally posted. Guaging from the reply on Bugtraq (as was pointed out), it may be by design. While this is still alpha software, I prefer reading through my error_log file. Not that anyone else has access to it on my site anyway...
-- Chris Largret http://daga.dyndns.org
Chris Largret wrote:
On Sun, 2005-12-18 at 00:19 +0100, Jasper Slits wrote:
Chris Largret wrote:
This full-path disclosure showed up on BugTraq a couple hours ago. Just in case you missed it, you can find a copy here:
Wow, a PHP warning in a piece of alpha software when tampering with the request string. Sound the alarm bells, we have full path disclosure.!
A real reason to post on Bugtraq rightaway and not informing this list first :)
Hehe... that was the reason I had originally posted. Guaging from the reply on Bugtraq (as was pointed out), it may be by design. While this is still alpha software, I prefer reading through my error_log file. Not that anyone else has access to it on my site anyway...
I would suggest to read the comments within the config files carefully. The first parameter in main.inc.php is described as follows:
// system error reporting: 1 = log; 2 = report (not implemented yet), // 4 = show, 8 = trace $rcmail_config['debug_level'] = 5;
If you set to 1 (log) you get all errors in a file as desired and they won't be printed to the screen. In case of safe_mode I'd suggest to set php_flag display_errors Off in the .htaccess file. This parameter usually will be overwritten with the settings according to 'debug_level' but it's not always allowed.
Regards, Thomas