Re: 11226 - Oracle 9iAS default error information disclosure

• Previous message: Paul Johnston: "11226 - Oracle 9iAS default error information disclosure"
• In reply to: Paul Johnston: "11226 - Oracle 9iAS default error information disclosure"
• Next in thread: Paul Johnston: "Re: 11226 - Oracle 9iAS default error information disclosure"
• Reply: Paul Johnston: "Re: 11226 - Oracle 9iAS default error information disclosure"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Paul Johnston wrote:
> Hi,
> 
> I noticed this in the plugin:
> 
>          path = location;
> # Why doesn't this work?
> #          ereg_replace(pattern: string("(java.io.FileNotFoundException: 
> )(.*)(",errorjsp,")(\(No such file or directory\))"), replace:"\2", 
> string: path);
> 
> I think this should be:
> 
> path = ereg_replace(pattern: string("(java.io.FileNotFoundException:
> )(.*)(",errorjsp,")(\(No such file or directory\))"), replace:"\2", string:
> location);
> 
> But I don't have any way to test it.
> 
> Is the author still here?
> 
> Paul


	Yep. Still here.

I believe you have just changed path to location. Am I right? If so, 
you'll notice there's (just above it) a  path = location;
and 'path' is the one printed in security_hole. Why would changing 
path->location in the ereg make the regular expression work at all?

	Regards

	Javi

• Next message: Paul Johnston: "Re: 11226 - Oracle 9iAS default error information disclosure"
• Previous message: Paul Johnston: "11226 - Oracle 9iAS default error information disclosure"
• In reply to: Paul Johnston: "11226 - Oracle 9iAS default error information disclosure"
• Next in thread: Paul Johnston: "Re: 11226 - Oracle 9iAS default error information disclosure"
• Reply: Paul Johnston: "Re: 11226 - Oracle 9iAS default error information disclosure"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Feb 17 2003 - 06:29:47 PST