| Summary: | To high error reporting level in php.ini for www.mageia.org | ||
|---|---|---|---|
| Product: | Infrastructure | Reporter: | Filip Komar <filip.komar> |
| Component: | Others | Assignee: | Sysadmin Team <sysadmin-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | major | ||
| Priority: | Normal | CC: | sysadmin-bugs, tmb |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Source RPM: | CVE: | ||
| Status comment: | |||
php error disabled, was enabled for some reason... Status:
NEW =>
RESOLVED |
Current server error_reporting is 22527. That's way to high for a production webserver. It's possible to set that in the source with ini_set('error_reporting', 0) but not all code does that so it can unnecessary expose more surface to attackers by showing errors, warning and even notices. I'm sorry for not reporting this sooner. I also didn't test other our domains as that can be also exposition of security critical data but I guess the concern is valid for them too.