[PHP-DEV] PHP 4.0 Bug #10091 Updated: - From: cynic <email protected>
Date: 03/31/01

ID: 10091
Updated by: cynic
Reported By: megahz <email protected>
Old-Status: Open
Status: Bogus
Bug Type: *General Issues
Assigned To:
Comments:

1) you don't need mysql for this. any error message contains full path to the script.
2) this will only happen with display_errors on, which is _not_ recommended for production sites.
3) I don't think the zillions of PHP coder out there would be grateful if this authoring/debugging convenience disappeared.
4) you can always write your own error handler that won't give out the path.

=> bogus

Previous Comments:
---------------------------------------------------------------------------

[2001-03-31 09:35:34] megahz <email protected>
at the bugtraq yesterday:
I've found a bug in php/MySQL that can show u the webroot path.

If u ask a non-existent file:
http://xxx.xxx.xxx.xxx/comments.php?file=.3425

server's answer is:

Warning: 0 is not a MySQL result index in /www/lc/linstart/www/other_languages/german/comments.php on line 74

I don't know if it's xploitable, I dont'know MySQL.
Let's xploit it!!

Darko

--------------
But this:
This will only happen if you have NOT turned off the error reporting in the
php.ini file. If you turn it off, and log the errors to a file you will not
get this.

---------------------------------------------------------------------------

ATTENTION! Do NOT reply to this email!
To reply, use the web interface found at http://bugs.php.net/?id=10091&edit=2 

-- 
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: php-dev-unsubscribe <email protected>
For additional commands, e-mail: php-dev-help <email protected>
To contact the list administrators, e-mail: php-list-admin <email protected>