Bug#298688: CAN-2005-0683: Disclosure of installation path
For the record: ; Print out errors (as a part of the output). For production web sites, ; you're strongly encouraged to turn this feature off, and use error logging ; instead (see below). Keeping display_errors enabled on a production web site ; may reveal security information to end users, such as file paths on your Web ; server, your database schema or other information. display_errors = On So it does, what is your personal view about this ? As a php developper i would say that default should not be the debug mode, would you reassign it to php ? Regards Alban -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#298688: CAN-2005-0683: Disclosure of installation path
On Thu, Mar 10, 2005 at 09:33:19AM +0100, Alban browaeys wrote: For the record: ; Print out errors (as a part of the output). For production web sites, ; you're strongly encouraged to turn this feature off, and use error logging ; instead (see below). Keeping display_errors enabled on a production web site ; may reveal security information to end users, such as file paths on your Web ; server, your database schema or other information. display_errors = On So it does, what is your personal view about this ? I accept that someone else has made the decision to set display_errors = On by default. I imagine that this has been discussed, but I'm not sure where (there's no php list that I can see). As a php developper i would say that default should not be the debug mode, would you reassign it to php ? Presumably, over the course of developing a PHP application on Debian, a developer would get at least one error, which would alert them to the fact that this is set as such. I think it is fair to assume that php developers and webserver admins should both be aware of the existence of this option. However, one could argue that J. User is neither of the above, and may well install one of Debian's php applications (say, phpbb2) without being aware of it. Justin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#298688: CAN-2005-0683: Disclosure of installation path
Package: phpbb2 Severity: grave Tags: security Justification: user security hole A remote user can directly access 'phpBB/db/oracle.php' to cause the system to display an error message that discloses the installation path. See http://securitytracker.com/alerts/2005/Mar/1013377.html -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#298688: CAN-2005-0683: Disclosure of installation path
Hi from the report http://securitytracker.com/alerts/2005/Mar/1013377.html this look like a beginner error. The error log is from php not phpBB ! ! On a production system error logs on the browser output have to be disabled ! It is lije keeping development backdoors on a production release ... If debian php does it by default , please reassign the bug to it but i don't remenber it doing it , can you check ? At least the maintainer his right in that it has nothing to do with phpBB. Thanks Alban -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#298688: CAN-2005-0683: Disclosure of installation path
! On a production system error logs on the browser output have to be disabled ! It is lije keeping development backdoors on a production release ... If debian php does it by default , please reassign the bug to it but i don't remenber it doing it , can you check ? No, unfortunately I don't have a php-installation where I can check it. I just went through the new CANs. Anyway, I don't know what I was thinking when I filed the report. Disclosure of the installation path is of course not an issue in Debian. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#298688: CAN-2005-0683: Disclosure of installation path
On Wed, Mar 09, 2005 at 11:55:01PM +0100, Stefan Fritsch wrote: ! On a production system error logs on the browser output have to be disabled ! It is lije keeping development backdoors on a production release ... If debian php does it by default , please reassign the bug to it but i don't remenber it doing it , can you check ? No, unfortunately I don't have a php-installation where I can check it. I just went through the new CANs. Anyway, I don't know what I was thinking when I filed the report. Disclosure of the installation path is of course not an issue in Debian. For the record: ; Print out errors (as a part of the output). For production web sites, ; you're strongly encouraged to turn this feature off, and use error logging ; instead (see below). Keeping display_errors enabled on a production web site ; may reveal security information to end users, such as file paths on your Web ; server, your database schema or other information. display_errors = On -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]