ID: 10091
Updated by: jmoore
Reported By: [EMAIL PROTECTED]
Status: Bogus
Bug Type: *General Issues
Assigned To:
Comments:
Just a note to say this must have been somthing posted a long time ago (at least I
didnt see it yesterday) and is not a bug or vunrability in PHP as cynic pointed out as
there are various members of the PHP Team who watch bugtraq and react to anything
related to PHP.
James
Previous Comments:
---------------------------------------------------------------------------
[2001-03-31 09:42:25] [EMAIL PROTECTED]
1) you don't need mysql for this. any error message contains full path to the script.
2) this will only happen with display_errors on, which is _not_ recommended for
production sites.
3) I don't think the zillions of PHP coder out there would be grateful if this
authoring/debugging convenience disappeared.
4) you can always write your own error handler that won't give out the path.
=> bogus
---------------------------------------------------------------------------
[2001-03-31 09:35:34] [EMAIL PROTECTED]
at the bugtraq yesterday:
I've found a bug in php/MySQL that can show u the webroot path.
If u ask a non-existent file:
http://xxx.xxx.xxx.xxx/comments.php?file=.3425
server's answer is:
Warning: 0 is not a MySQL result index in
/www/lc/linstart/www/other_languages/german/comments.php on line 74
I don't know if it's xploitable, I dont'know MySQL.
Let's xploit it!!
Darko
--------------
But this:
This will only happen if you have NOT turned off the error reporting in the
php.ini file. If you turn it off, and log the errors to a file you will not
get this.
---------------------------------------------------------------------------
ATTENTION! Do NOT reply to this email!
To reply, use the web interface found at http://bugs.php.net/?id=10091&edit=2
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
