Summary
PHP3 will reveal the physical path of the
webroot when asked for a non-existent PHP3 file
if it is incorrectly configured. Although printing errors to the output is useful for debugging applications, this feature should not be enabled on production servers.
Solution
In the PHP configuration file change display_errors to 'Off':
display_errors = Off
Reference : http://online.securityfocus.com/archive/1/65078 Reference : http://online.securityfocus.com/archive/101/184240
Severity
Classification
-
CVSS Base Score: 5.0
AV:N/AC:L/Au:N/C:P/I:N/A:N
Related Vulnerabilities
- AjaXplorer Remote Command Injection and Local File Disclosure Vulnerabilities
- Apache Web Server ETag Header Information Disclosure Weakness
- A4Desk Event Calendar 'eventid' Parameter SQL Injection Vulnerability
- Apache Struts Cross Site Scripting Vulnerability
- 11in1 Cross Site Request Forgery and Local File Include Vulnerabilities