|
Joined: Aug 2006
Posts: 13
stranger
|
stranger
Joined: Aug 2006
Posts: 13 |
7.0.2
I have not been able to find a place to turn off debug. If the SQL server goes down or can not connect, the HTML server will serve up:
Script: full/path/to/ubbthreads.inc.php Line#: 2089 SQL Error: Can't connect to local MySQL server through socket 'full/path/to/mysqld.sock' (2) SQL Error #: 2002 Query: select t1.USER_DISPLAY_NAME,t1.USER_PASSWORD,t1.USER_SESSION_ID, t1.USER_MEMBERSHIP_LEVEL, t2.USER_TOTAL_PM, t1.USER_ID, t1.USER_IS_BANNED,t1.USER_IS_UNDERAGE, t2.USER_STYLE,t2.USER_HIDE_LEFT_COLUMN,t2.USER_HIDE_RIGHT_COLUMN from ubbt_USERS AS t1, ubbt_USER_PROFILE as t2 where t1.USER_ID = '' and t1.USER_ID = t2.USER_ID
Although not a problem if one is 100% sure their server is tight, showing the full path to the script shows dirrectory structure which could be used with other exploits. I suggest being able to turn off debug and replace with a message that says:
I am sorry, I can not connect to the data base at this time. Please try again later.
Or something along those lines.
|
|
|
|
Joined: Jun 2006
Posts: 3,837
Carpal Tunnel
|
Carpal Tunnel
Joined: Jun 2006
Posts: 3,837 |
this error should only show to admins
|
|
|
|
Joined: Jun 2006
Posts: 16,301 Likes: 116
|
Joined: Jun 2006
Posts: 16,301 Likes: 116 |
this error should only show to admins I believe so
|
|
|
|
Joined: Nov 2006
Posts: 3,095 Likes: 1
Carpal Tunnel
|
Carpal Tunnel
Joined: Nov 2006
Posts: 3,095 Likes: 1 |
Nope shows to ALL USERS
I just logged out of my site and removed my cookie. Remoted in and shut down MySQL. Tried to attach and I got all the similar data.
It can be disabled as I've seen it discussed before but not sure where or how at the moment though.
|
|
|
|
Joined: Jun 2006
Posts: 9,242 Likes: 1
Former Developer
|
Former Developer
Joined: Jun 2006
Posts: 9,242 Likes: 1 |
There is a setting in the mysql.inc.php to turn this off. It's turned on by default in 7.0-7.0.2, but I switched it to off for 7.1.
You can find this in libs/mysql.inc.php about line 283
$showerror = 1;
That should be
$showerror = 0;
Last edited by Rick; 01/22/2007 5:54 PM.
|
|
|
|
Joined: Nov 2006
Posts: 3,095 Likes: 1
Carpal Tunnel
|
Carpal Tunnel
Joined: Nov 2006
Posts: 3,095 Likes: 1 |
Thanks Rick I knew I had seen it somewhere before but couldn't remember where. Now responds with: You are not logged in [Log In] Database error only visible to forum administrators
Last edited by ntdoc; 01/22/2007 5:59 PM.
|
|
|
|
Joined: Jun 2006
Posts: 3,837
Carpal Tunnel
|
Carpal Tunnel
Joined: Jun 2006
Posts: 3,837 |
my apologies missed the 7.0.2
|
|
|
|
Joined: Aug 2006
Posts: 1,649 Likes: 1
Pooh-Bah
|
Pooh-Bah
Joined: Aug 2006
Posts: 1,649 Likes: 1 |
There is a setting in the mysql.inc.php to turn this off. Oh goody! Now maybe those errors won't show up in Google results after it tries to crawl my site when it's down for a few minutes....
GangsterBB.NET (Ver. 7.6.1.1) PHP Version 5.6.40 / MySQL 5.7.23-23 (was 5.6.41-84.1) / Apache 2.4.54 2007 Content Rulez Contest - Hon Mention UBB.classic 6.7.2 - RIP
|
|
|
1 members (Ruben),
1,277
guests, and
207
robots. |
Key:
Admin,
Global Mod,
Mod
|
|
|
|