full path disclosure on autoindex

Discussion in 'Bug Reports' started by felosi, Nov 2, 2007.

  1. felosi

    felosi New Member

    For example if you chmod a directory 000 in order to disable it
    Like this http://protectedhost.com/test/
    http://sph1.net/test

    Instead of giving a php error displaying full path it should simply give a forbidden error. It does the same any time it cannot read any folder, despite the contents

    Is there any quick fix for this? Its somewhat of a security risk because it displays full path giving the sites username on the server.
    Seems like it should invoke an error page instead of trying to open autoindex
    Despite error reporting off will still show this
    Last edited: Nov 2, 2007
  2. brrr

    brrr New Member

    Some suggestions...

    Disable auto-index for that server. And your PHP error reporting settings in php.ini may also be a factor too - eg ensure display_errors = Off.

    But yeah, when LSWS encounters a file-system resource that it has no permissions to access, I would have thought a 403 error would have come up despite every other setting on the server.
  3. felosi

    felosi New Member

    does the same despite display errors, the links I posted display errors is on. Which I really have to leave that on so people can see problems with their apps, sites, etc
    bottom one is with error reporting off
  4. admin

    admin Administrator Staff Member

    OK. We will set "display_errors = off" for the autoindex script.
  5. admin

    admin Administrator Staff Member

    And the autoindex script will be changed not to show the error.
  6. mistwang

    mistwang LiteSpeed Staff

    Changes has been made to the latest 3.3 build, you are welcome to give it a try.
  7. felosi

    felosi New Member

    Will give it a try tonight, been taking the weekend off. A much needed break, been working 7 days a week like 2 years now

    Thanks guys
  8. felosi

    felosi New Member

    tried the 3.3 build, soon as I did, all sites got a 503 error and wouldnt load
  9. mistwang

    mistwang LiteSpeed Staff

    Are you using PHP suExec on that server?
  10. felosi

    felosi New Member

    yeah, all of them I do
  11. mistwang

    mistwang LiteSpeed Staff

    If you downloaded the 3.3 release package earlier than yesterday, you should download again, it has been actively updated.
    If you downloaded it yesterday, I may have to take another look on the 503 issue
  12. PSS

    PSS Member

    3.3? Where?
  13. mistwang

    mistwang LiteSpeed Staff

    Jut change the version number in the download link to get 32 or 64 bit linux package.
  14. PSS

    PSS Member

    Thanks. Is there a changelog somewhere?
  15. mistwang

    mistwang LiteSpeed Staff

  16. felosi

    felosi New Member

    Thanks a lot George!

    I would have to say LiteSpeed is the best people Ive dealt with concerning bug reports. They take them seriously and fix them asap. I have never been brushed off or had problems filing a report or simply asking a question. Thats just awesome in software because back in my hacking/security days we used to notify vendors about exploits and such. 90% of the time they would either deny it, ignore it, or take months fixing and almost all of them never treated anything like an emergency.

    Everytime anyone reports problems to litespeed they are taken care of fast and everything is treated like a serious issue. Cant ask for no more.

    Thanks again!

Share This Page