Path disclosure bug on MySQL connection error

This is an archive of the phpBB 2.0.x support forum. Support for phpBB2 has now ended.
Forum rules
Following phpBB2's EoL, this forum is now archived for reference purposes only.
Please see the following announcement for more information: viewtopic.php?f=14&t=1385785
Registered User
Posts: 21
Joined: Sat Dec 25, 2004 6:58 am

Path disclosure bug on MySQL connection error

Post by Hynee »

I'm not sure where to report bugs, but I've noticed a lot of effort has gone in recently to suppress all possible server path disclosures. Here's what happened, with our shared server path edited out:

Code: Select all

Warning: mysql_connect(): Can't connect to local MySQL server through socket '/var/tmp/mysql.sock' (11) in /path_to_web/forum/db/mysql4.php on line 48

Warning: mysql_error(): supplied argument is not a valid MySQL-Link resource in /path_to_web/forum/db/mysql4.php on line 330

Warning: mysql_errno(): supplied argument is not a valid MySQL-Link resource in /path_to_web/forum/db/mysql4.php on line 331
phpBB : Critical Error

Could not connect to the database
Just to make it clear, this was caused by an error with the MySQL server, not phpBB. It's a path disclosure bug (possibly a security risk) with the MySQL db layer of phpBB.
Security Consultant
Posts: 497
Joined: Sun Nov 14, 2004 8:05 pm

Post by AnthraX101 »

PHP in general, and phpBB in particular has many path disclosure issues. This particular error is a PHP error message, and not a phpBB one. The best advice is to follow the PHP best practices and set php's "display_errors" to 0 and "log_errors" to 1. In addition, change constants.cpp:

Code: Select all

define('DEBUG', 1); // Debugging off

Code: Select all

define('DEBUG', 0); // Debugging off
This will turn off phpBB's error messages that may disclose your database name and table prefixes. If you didn't apply all of the recent patches, this may disclose paths also. The error messages were recently changed to not display full path information.


Return to “2.0.x Support Forum”