Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 21 Jan 2013 12:03:42 -0200
From: Henrique Montenegro <typoon@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE Request - Wordpress 3.5 Full-path disclosure vulnerability

Yes, I also agree that wordpress should fix this and I understand that this
is a low-priority mostly configuration related issue. I was just not sure
if this was eligible for a CVE or not. I'll keep this reference in mind for
future times.

Thanks for the help!

Henrique


On Mon, Jan 21, 2013 at 12:00 PM, Henri Salo <henri@...v.fi> wrote:

> On Mon, Jan 21, 2013 at 11:29:45AM +0000, Giles Coochey wrote:
> > Wouldn't setting PHP "display_errors" be for development only, the
> > entire point of the directive is to give the developer more
> > information 'in page'.
> >
> > http://php.net/manual/en/errorfunc.configuration.php#ini.display-errors
> >
> > Quoting:
> > "This is a feature to support your development and should never be
> > used on production systems (e.g. systems connected to the
> > internet)."
>
> You are correct. No CVE, but WordPress should still fix this. Please note
> that
> some configuration errors still get CVE, but this is not one of those in my
> opinion/knowledge. Path disclosures are usually low-priority issues.
>
> ---
> Henri Salo
>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.