php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #10091 -
Submitted: 2001-03-31 09:35 UTC Modified: 2001-03-31 10:41 UTC
From: megahz at the-megahz dot com Assigned:
Status: Not a bug Package: *General Issues
PHP Version: 4.0.4pl1 OS: -
Private report: No CVE-ID: None
 [2001-03-31 09:35 UTC] megahz at the-megahz dot com
at the bugtraq yesterday:
I've found a bug in php/MySQL that can show u the webroot path.

If u ask a non-existent file:
http://xxx.xxx.xxx.xxx/comments.php?file=.3425

server's answer is:

Warning: 0 is not a MySQL result index in /www/lc/linstart/www/other_languages/german/comments.php on line 74

I don't know if it's xploitable, I dont'know MySQL.
Let's xploit it!!

Darko


--------------
But this:
This will only happen if you have NOT turned off the error reporting in the
php.ini file. If you turn it off, and log the errors to a file you will not
get this.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2001-03-31 09:42 UTC] cynic@php.net
1) you don't need mysql for this. any error message contains full path to the script.
2) this will only happen with display_errors on, which is _not_ recommended for production sites.
3) I don't think the zillions of PHP coder out there would be grateful if this authoring/debugging convenience disappeared.
4) you can always write your own error handler that won't give out the path.

=> bogus
 [2001-03-31 10:41 UTC] jmoore@php.net
Just a note to say this must have been somthing posted a long time ago (at least I didnt see it yesterday) and is not a bug or vunrability in PHP as cynic pointed out as there are various members of the PHP Team who watch bugtraq and react to anything related to PHP.

James
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Dec 30 14:01:28 2024 UTC