|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #10091 -
Submitted: 2001-03-31 09:35 UTC Modified: 2001-03-31 10:41 UTC
From: megahz at the-megahz dot com Assigned:
Status: Not a bug Package: *General Issues
PHP Version: 4.0.4pl1 OS: -
Private report: No CVE-ID: None
 [2001-03-31 09:35 UTC] megahz at the-megahz dot com
at the bugtraq yesterday:
I've found a bug in php/MySQL that can show u the webroot path.

If u ask a non-existent file:

server's answer is:

Warning: 0 is not a MySQL result index in /www/lc/linstart/www/other_languages/german/comments.php on line 74

I don't know if it's xploitable, I dont'know MySQL.
Let's xploit it!!


But this:
This will only happen if you have NOT turned off the error reporting in the
php.ini file. If you turn it off, and log the errors to a file you will not
get this.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2001-03-31 09:42 UTC]
1) you don't need mysql for this. any error message contains full path to the script.
2) this will only happen with display_errors on, which is _not_ recommended for production sites.
3) I don't think the zillions of PHP coder out there would be grateful if this authoring/debugging convenience disappeared.
4) you can always write your own error handler that won't give out the path.

=> bogus
 [2001-03-31 10:41 UTC]
Just a note to say this must have been somthing posted a long time ago (at least I didnt see it yesterday) and is not a bug or vunrability in PHP as cynic pointed out as there are various members of the PHP Team who watch bugtraq and react to anything related to PHP.

PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Wed Jun 12 16:01:35 2024 UTC