ID: 10091 Comment by: teen-free257 at hotmail dot com Reported By: megahz at the-megahz dot com Status: Bogus Bug Type: *General Issues Operating System: - PHP Version: 4.0.4pl1 New Comment:
<a href=http://casthandcuff-footf.da.ru>teen free</a> Previous Comments: ------------------------------------------------------------------------ [2001-03-31 10:41:33] [EMAIL PROTECTED] Just a note to say this must have been somthing posted a long time ago (at least I didnt see it yesterday) and is not a bug or vunrability in PHP as cynic pointed out as there are various members of the PHP Team who watch bugtraq and react to anything related to PHP. James ------------------------------------------------------------------------ [2001-03-31 09:42:25] [EMAIL PROTECTED] 1) you don't need mysql for this. any error message contains full path to the script. 2) this will only happen with display_errors on, which is _not_ recommended for production sites. 3) I don't think the zillions of PHP coder out there would be grateful if this authoring/debugging convenience disappeared. 4) you can always write your own error handler that won't give out the path. => bogus ------------------------------------------------------------------------ [2001-03-31 09:35:34] megahz at the-megahz dot com at the bugtraq yesterday: I've found a bug in php/MySQL that can show u the webroot path. If u ask a non-existent file: http://xxx.xxx.xxx.xxx/comments.php?file=.3425 server's answer is: Warning: 0 is not a MySQL result index in /www/lc/linstart/www/other_languages/german/comments.php on line 74 I don't know if it's xploitable, I dont'know MySQL. Let's xploit it!! Darko -------------- But this: This will only happen if you have NOT turned off the error reporting in the php.ini file. If you turn it off, and log the errors to a file you will not get this. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=10091&edit=1
