In the last few weeks there have been many "give this malformed URL to
this PHP script, and it pukes with a full path error message" advisories.

I'd like to point out this is actually a PHP problem, and not the script.
Sure, it shouldn't be so easy to force the script to puke, but it's PHP
that's displaying the error message, not the script.

Thus, this boils down to a PHP configuration issue. If you look in your
php.ini file, you can turn off error reporting to the client and instead
send it to a local file. Sites that have taken the time to do this will
not find themselves vulnerable to this mild information disclosure. While
you're mucking around in your php.ini, considering turning off
register_globals and disabling furl_open_wrapper too.

IIS also does the same thing, particularly with ODBC error messages. If
you dig into your IIS site properties menus, you'll find a checkbox to
disable displaying error messages to the clients as well.

Cheers,
- rfp

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]