PolarBlog Potential Path Disclosure

Yesterday a friend at work found that he could force a path disclosure leak on some sites running PolarBlog (and many other application also I would think).  This does not pose a danger to your PolarBlog installation, but can provide information which might be helpful if someone were to find a way into your site via a different application.

The quickest and easiest way to prevent this from occurring is to stop PHP from displaying errors to the screen and saving them to a log file instead.  This is a very good standard security practice that I've followed for a very long time, and you should too.

If you are running your own server and have access to your php.ini file you likely either are already doing this or should easily be able to make the appropriate changes there.  But most people run in a shared hosting environment and will need to do this via a .htaccess file.  Information for how to do this has long been in the PolarBlog documentation.  It is highly recommended that you read and implement the changes in the .htaccess File section of the PolarBlog Documentation.  This will prevent PHP errors from being displayed on your site when any PHP errors occur in any of your PHP applications.  Again, this is a highly recommended security practice that will prevent all of your PHP application from leaking potentially exploitable information to those who may wish you ill.

I will release an update soon that will prevent this information leak, although I consider this to be a minor security issue, at least for PolarBlog.  But being this information could be leveraged to help attack your system I will be closing this disclosure bug.
May 5, 2007 @ 08:00 am | Category:
comments powered by Disqus