Chris Largret wrote:

This full-path disclosure showed up on BugTraq a couple hours ago. Just in case you missed it, you can find a copy here:

http://www.securityfocus.com/archive/1/419706/30/0/threaded

-- Chris Largret http://daga.dyndns.org

And an appropriate analysis posted as a follow up:

http://www.securityfocus.com/archive/1/419710/30/0/threaded

Not at all surprising as already said.

Chris Largret wrote:

On Sun, 2005-12-18 at 00:19 +0100, Jasper Slits wrote:

...

Chris Largret wrote:

...

This full-path disclosure showed up on BugTraq a couple hours ago. Just in case you missed it, you can find a copy here:

...

Wow, a PHP warning in a piece of alpha software when tampering with the request string. Sound the alarm bells, we have full path disclosure.!

A real reason to post on Bugtraq rightaway and not informing this list first :)

Hehe... that was the reason I had originally posted. Guaging from the reply on Bugtraq (as was pointed out), it may be by design. While this is still alpha software, I prefer reading through my error_log file. Not that anyone else has access to it on my site anyway...

I would suggest to read the comments within the config files carefully. The first parameter in main.inc.php is described as follows:

// system error reporting: 1 = log; 2 = report (not implemented yet), // 4 = show, 8 = trace $rcmail_config['debug_level'] = 5;

If you set to 1 (log) you get all errors in a file as desired and they won't be printed to the screen. In case of safe_mode I'd suggest to set php_flag display_errors Off in the .htaccess file. This parameter usually will be overwritten with the settings according to 'debug_level' but it's not always allowed.

Regards, Thomas