| Summary: | www-apps/mambo: path disclosure | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Carsten Lohrke (RETIRED) <carlo> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED INVALID | ||
| Severity: | normal | CC: | web-apps |
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
|
Description
Carsten Lohrke (RETIRED)
2005-11-03 16:14:46 UTC
web-apps please advise. That would be the patch :
========================================
in /component/com_content/content.php
Approx Line 190 Change the block FROM:
Code:
// Paramters
$params = new stdClass();
if ( $Itemid ) {
$menu = new mosMenu( $database );
$menu->load( $Itemid );
$params =& new mosParameters( $menu->params );
} else {
$menu = "";
$params =& new mosEmpty();
}
CHANGE TO READ:
Code:
// Paramters
$params = new stdClass();
if ( $Itemid ) {
$menu = new mosMenu( $database );
$menu->load( $Itemid );
$params =& new mosParameters( $menu->params );
} else {
$menu = "";
$params =& new mosParameters(''); //mosEmpty();
}
=================================
This still has to be confirmed. web-apps herd, please have a look ?
I was able to confirm a full path disclosure via a PHP error from a call to an undefined function set(). I'm assuming this is what the bug is referring to, but does not at all seem significant. Yes, this seems rather minor to me. I propose to close it as WONTFIX, and let the fix filter from upstream some day. concur with Koon, path disclosure has a questionable security impact. I agree if upstream has been informed. Closing as INVALID -- no real security impact. |