In the last few weeks there have been many "give this malformed URL to this PHP script, and it pukes with a full path error message" advisories. I'd like to point out this is actually a PHP problem, and not the script. Sure, it shouldn't be so easy to force the script to puke, but it's PHP that's displaying the error message, not the script. Thus, this boils down to a PHP configuration issue. If you look in your php.ini file, you can turn off error reporting to the client and instead send it to a local file. Sites that have taken the time to do this will not find themselves vulnerable to this mild information disclosure. While you're mucking around in your php.ini, considering turning off register_globals and disabling furl_open_wrapper too. IIS also does the same thing, particularly with ODBC error messages. If you dig into your IIS site properties menus, you'll find a checkbox to disable displaying error messages to the clients as well. Cheers, - rfp
This archive was generated by hypermail 2b30 : Tue Mar 26 2002 - 18:55:37 PST