[Tickets #5101] horde disclosure of DB connection string in error message
bugs at bugs.horde.org
bugs at bugs.horde.org
Sat Mar 10 15:27:58 UTC 2007
DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.
Ticket URL: http://bugs.horde.org/ticket/?id=5101
-----------------------------------------------------------------------
Ticket | 5101
Created By | liamr at deathstar.org
Summary | horde disclosure of DB connection string in error message
Queue | Horde Base
Version | HEAD
Type | Bug
State | Unconfirmed
Priority | 1. Low
Owners |
-----------------------------------------------------------------------
liamr at deathstar.org (2007-03-10 07:27) wrote:
Maybe this should be in enhancement... but... if Horde encounters a fatal
error, it sends a print_r() of the DB object to the browser. It exposes
the database connection information for all the world to see, and that's a
terrible thing to do.
A fatal error has occurred
DB Error: connect failed
[line 90 of
/usr/local/projects/webmail/html-dev/horde/ingo/lib/Storage/sql.php]
Details (also in Horde's logfile):
object(DB_Error)#22 (8) {
["error_message_prefix"]=>
...
["dsn"]=>
array(13) {
["phptype"]=>
string(5) "mysql"
["dbsyntax"]=>
string(5) "mysql"
["username"]=>
string(5) "horde"
["password"]=>
string(9) "L3tM3In!"
["protocol"]=>
string(3) "tcp"
["hostspec"]=>
string(24) "mysql.example.com"
["port"]=>
More information about the bugs
mailing list