Learn how easy it is to sync an existing GitHub or Google Code repo to a SourceForge project! See Demo

Close

#261 \class\token.php with 2 undefined constants

2.1.8
open-accepted
nobody
None
5
2010-05-09
2010-04-28
Mikhail Miguel
No

1) \html\class\token.php with two undefined constants: XOOPS_DB_PREFIX and XOOPS_ROOT_PATH
2) related error message with full path disclosure vulnerability.

---

<br />
<b>Notice</b>: Use of undefined constant XOOPS_DB_PREFIX - assumed 'XOOPS_DB_PREFIX' in <b>XXX\html\class\token.php</b> on line <b>15</b><br />
<br />
<b>Notice</b>: Use of undefined constant XOOPS_DB_USER - assumed 'XOOPS_DB_USER' in <b>XXX\html\class\token.php</b> on line <b>15</b><br />
<br />
<b>Notice</b>: Use of undefined constant XOOPS_ROOT_PATH - assumed 'XOOPS_ROOT_PATH' in <b>XXX\html\class\token.php</b> on line <b>15</b><br />

Discussion

  • Mikhail Miguel
    Mikhail Miguel
    2010-04-28

    Ops, are three and not only two undefined constants: XOOPS_DB_PREFIX , XOOPS_DB_USER and XOOPS_ROOT_PATH .

    Of course, the full path disclosure vulnerability created by the notice message is related with the PHP.INI settings.

     
  • minahito
    minahito
    2010-05-09

    We need to add guard code.

     
  • minahito
    minahito
    2010-05-09

    • milestone: 903888 --> 2.1.8
    • status: open --> open-accepted