Closed PhrozenByte closed 2 years ago
Comment by @PhrozenByte
Whether PHP errors are shown or not is out of Pico's realm and a matter of the webserver's resp. PHP's configuration (i.e. php.ini). These warnings won't show up with PHP's default config for production systems (XAMPP uses the development config by default). I'd rather close this as invalid since it's 1) no issue with Pico and 2) result of a misconfiguration.
Comment by @melbinkm (Researcher)
Thanks. You're right. Closing issue. 👍
@melbinkm (Researcher) has invalidated this vulnerability
This is not an application vulnerability.
Thank you very much for your research @melbinkm! :heart:
I'm disclosing this security report in accordance to our SECURITY.md
.
Reported by @melbinkm via huntr.dev on 2021-08-23 16:34 CEST
→ Please refer to huntr.dev for the full report
✍️ Description
Internal Server path is disclosed in error message.
🕵️♂️ Proof of Concept
Request
Response
💥 Impact
Full Path Disclosure vulnerability enables an attacker to see the full path of the file and the attacker can utilize this data for misusing some different vulnerability like Local File Inclusion.
📍 Location
index.php#L1
📝 References