severity 703128 important thanks Op zaterdag 16 maart 2013 00:45:18 schreef Christoph Anton Mitterer: > Marking this as important and security, as such ungracefull errors tend to > be prone to attacks.
Rightly so. These issues indeed should be fixed to prevent any security issues proactively, and it would be great even, if possible, to fix them in wheezy. However, there are no concrete security holes known so this is a matter of hardening rather than a real vulnerability. > 2) setup.php -> user get's the whole setup page... including the ability to > see the whole phpinfo() output... which contains all kind of private > environment information that might be used by an attacker. > Therefore the severity: grave. I disagree about the severity of this. Yes, phpinfo() shouldn't be shown. However, nearly all of the 'private environment information' is fully predictable on a Debian system (paths, php versions, library versions, you name it, it's all trivially known already). Add to that that it's not available to the world but only to authorised users. This shouldn't happen, but does not justify 'grave'. Nonetheless, I urge the maintainer to take this up with upstream and if a straightforward patch is available, apply it and request unblock. Cheers, Thijs
signature.asc
Description: This is a digitally signed message part.
