Topic: Possible security risk on forums

[RogueJedi_XC]

I just got a time out error message when looking at the mission scripting forum. The error message gave the exact path to a file on the host computer ( "Fatal error: Maximum execution time of 30 seconds exceeded in C:\Inetpub\wwwroot\ubbthreads\<subdir>\<subdir>\<somefile>.<ext> on line 212"). These kinds of verbose error messages should not be sent to the client in production code.  Even with all of the patches, hotfixes, and  security updates, and the IIS Lockdown Tool, this information could be used by a malicious hacker-type person to damage your website. Or worse.  

[MrCue]

how so? PHP is parsed by the webserver before it is sent to the client, so they never see any PHP code. so long as the connection info is inside PHP tags it can never be viewed without FTP

[Toasty0]

Even so, I agree with Rogue. Error messages such as that should never been sent to the client. It's one of my major gripes about ASP.NET. Some of its controls, and its xml parser are prone to sending an error message to the client describing a directory path to the offending code-behind page.

Kind of defeats the whole purpose for code behind, imho.

Best,
Jerry  

[RogueJedi_XC]

How PHP is parsed is not at issue. Exposing the directory structure of the server machine is, however. This information can give insights about how the IIS web server is set up to someone with the right  knowledge (or the wrong knowledge, depending on your pov).  For example, if the permissions are not set correctly, knowing the path to certain IIS folders can allow an intruder to place his own web pages on your server, store illegal warez/porn, or just modify stuff.    

[Demandred]

Well, since IIS is Microsoft software with all that implies (their idea of a speedy response time in patching a security hole is at least 6 months) another security risk isn't that big a deal.    

[RogueJedi_XC]

I just got a time out error message when looking at the mission scripting forum. The error message gave the exact path to a file on the host computer ( "Fatal error: Maximum execution time of 30 seconds exceeded in C:\Inetpub\wwwroot\ubbthreads\<subdir>\<subdir>\<somefile>.<ext> on line 212"). These kinds of verbose error messages should not be sent to the client in production code.  Even with all of the patches, hotfixes, and  security updates, and the IIS Lockdown Tool, this information could be used by a malicious hacker-type person to damage your website. Or worse.  

[MrCue]

how so? PHP is parsed by the webserver before it is sent to the client, so they never see any PHP code. so long as the connection info is inside PHP tags it can never be viewed without FTP

[Toasty0]

Even so, I agree with Rogue. Error messages such as that should never been sent to the client. It's one of my major gripes about ASP.NET. Some of its controls, and its xml parser are prone to sending an error message to the client describing a directory path to the offending code-behind page.

Kind of defeats the whole purpose for code behind, imho.

Best,
Jerry  

[RogueJedi_XC]

How PHP is parsed is not at issue. Exposing the directory structure of the server machine is, however. This information can give insights about how the IIS web server is set up to someone with the right  knowledge (or the wrong knowledge, depending on your pov).  For example, if the permissions are not set correctly, knowing the path to certain IIS folders can allow an intruder to place his own web pages on your server, store illegal warez/porn, or just modify stuff.    

[Demandred]

Well, since IIS is Microsoft software with all that implies (their idea of a speedy response time in patching a security hole is at least 6 months) another security risk isn't that big a deal.