How to hide error reporting to users with EVOCMS? Security vulnerability.

[q2apro]

When there is an error in the code of a snippet, it throws an error report frontend.

Example:

This SHOWS all the server paths and more details.

And this is also shown to anonymous users.

How to hide these error reports?

Only the CMS user should see them, not others!

In my point of view, this is a security vulnerability of Evolution CMS.

[Dmi3yy]

Error you see only if login to manager, if not you see just one word 'Error'

[Dmi3yy]

This code do that: https://github.com/evolution-cms/evolution/blob/3.x/core/src/ExceptionHandler.php#L413-L429

or if you turn on debug mode then will show for All )

by default show only for Managers

[q2apro]

Thanks for your reply. But it really shows all errors. Even when not logged in to the manager. That is why I am reporting this problem.

I am running Evo CMS 2.0.4

How to disable it there? I cannot find it in the CMS configuration.

[q2apro]

In Evo 2 there is the file core/src/ExceptionHandler.php

There you have: if ($this->shouldDisplay()) {

    protected function shouldDisplay()
    {
        return isset($_SESSION['mgrValidated']) || $this->container['config']->get('app.debug');
    }

I ran one PHP snippet with error ... and there was really only Error showing up.

Maybe I had a session cookie in the browser or so that the error was displayed beforehand.

Case closed.