search

cnwangjie / phurl

Automatically exported from code.google.com/p/phurl
0 stars 0 forks source link

Full path disclosure #70

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
Visiting html/index_form.php
causes an error because the print_errors function does not get included.
this causes the full path the script is running to be displayed.

this vulnerability is useful if you have an sql injection as you know where to 
load files from and where to place files to.

fix action, place an .htaccess in the html folder so that people dont have 
access to it, but the server can still include it

or place the print_errors function in the functions.php file, like you said you 
did in 3.2

example
http://d66.org/html/index_form.php

more definition of full path disclosure
http://www.owasp.org/index.php/Full_Path_Disclosure

Original issue reported on code.google.com by itspa...@gmail.com on 10 Jul 2010 at 12:19

GoogleCodeExporter commented 9 years ago

Original comment by hcblahb...@gmail.com on 12 Jul 2010 at 1:51

GoogleCodeExporter commented 9 years ago

Original comment by hcblahb...@gmail.com on 26 Oct 2010 at 9:18

GoogleCodeExporter commented 9 years ago

Original comment by hcblahb...@gmail.com on 28 Oct 2010 at 12:10