For the record:
; Print out errors (as a part of the output). For production web sites,
; you're strongly encouraged to turn this feature off, and use error logging
; instead (see below). Keeping display_errors enabled on a production web
site
; may reveal security information to end
On Thu, Mar 10, 2005 at 09:33:19AM +0100, Alban browaeys wrote:
For the record:
; Print out errors (as a part of the output). For production web sites,
; you're strongly encouraged to turn this feature off, and use error logging
; instead (see below). Keeping display_errors enabled on a
Package: phpbb2
Severity: grave
Tags: security
Justification: user security hole
A remote user can directly access 'phpBB/db/oracle.php' to cause the system
to display an error message that discloses the installation path.
See
http://securitytracker.com/alerts/2005/Mar/1013377.html
--
To
Hi
from the report http://securitytracker.com/alerts/2005/Mar/1013377.html
this look like a beginner error.
The error log is from php not phpBB !
! On a production system error logs on the browser output have to
be disabled !
It is lije keeping development backdoors on a production release
...
! On a production system error logs on the browser output have to
be disabled !
It is lije keeping development backdoors on a production release
...
If debian php does it by default , please reassign the bug to it
but i don't remenber it doing it , can you check ?
No, unfortunately I don't
On Wed, Mar 09, 2005 at 11:55:01PM +0100, Stefan Fritsch wrote:
! On a production system error logs on the browser output have to
be disabled !
It is lije keeping development backdoors on a production release
...
If debian php does it by default , please reassign the bug to it
but i
6 matches
Mail list logo