PostNuke

Flexible Content Management System

News

PostNuke Sensitive Information Disclosure

Contributed by on Mar 26, 2003 - 07:00 PM

In response to this alert below is code to properly correct this issue.




Also posted here:


<a href="http://forums.postnuke.com/phpBB2/viewtopic.php?t=9153&highlight="target="blank">http://forums.postnuke.com/phpBB2/viewtopic.php?t=9153&highlight=




Here is a simple fix to the issue. Long term the error reporting should probably be done to a file or set as an option so that more details information could be presented when needed in debugging and none when in a production state.




Hope this helpful.




File: legacy.php




/**


* Error message due a ADODB SQL error and die


*/


function PN_DBMsgError($db='',$prg='',$line=0,$message='Error accesing to the database')


{




// 2 lines added to strip the server root path


$padprg = $prg ;


$prg = str_replace($_SERVER["SITE_HTMLROOT"], "...", $padprg);


//




$lcmessage = $message . "" .


"Program: " . $prg . " - " . "Line No.: " . $line . "" ;




// remove report of DB name not necessary in most cases


// "Database: " . $db->database . " ";




if($db->ErrorNo()<>0) {


$lcmessage .= "Error (" . $db->ErrorNo() . ") : " . $db->ErrorMsg() . "";


}


die($lcmessage);


}
15610