Bug 18630 - To high error reporting level in php.ini for www.mageia.org
Summary: To high error reporting level in php.ini for www.mageia.org
Status: RESOLVED FIXED
Alias: None
Product: Infrastructure
Classification: Unclassified
Component: Others (show other bugs)
Version: unspecified
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: Sysadmin Team
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-06-05 23:47 CEST by Filip Komar
Modified: 2016-06-06 07:22 CEST (History)
2 users (show)

See Also:
Source RPM:
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Filip Komar 2016-06-05 23:47:33 CEST 
Current server error_reporting is 22527. That's way to high for a production webserver.

It's possible to set that in the source with ini_set('error_reporting', 0) but not all code does that so it can unnecessary expose more surface to attackers by showing errors, warning and even notices.

I'm sorry for not reporting this sooner. I also didn't test other our domains as that can be also exposition of security critical data but I guess the concern is valid for them too.
Comment 1 Thomas Backlund 2016-06-06 07:22:11 CEST 
php error disabled, was enabled for some reason...

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.