Posted by greggles on May 14, 2012 at 2:17am
There has recently been a publication of a path disclosure issue in Drupal with the title "Drupal 7.14 <= Full Path Disclosure Vulnerability"
As a response to this and the entire class of issues (that our error messages are optimized for usability over security) I've posted this faq entry: Information disclosure in error messages not a weakness (Path disclosure, SQL error messages, etc.)
Please help improve that page to provide any additional, useful guidance.
Edit: For search engines: This has now been assigned CVE-2012-2922.
Comments
Full Path Disclosure a risk?
I have "Error messages to display" set to "None", but when I visit
my-drupal-site.example.com/?q[]=x
(as anonymous), I still get an error message with the full path disclosed.The FAQ describes that it is not a problem, because you can disable the display of error messages. But when this doesn't work (like in my case), does that mean that it could be a risk?
It does appear that this
It does appear that this specific issue gets around that setting, so I added information about PHP which should fix it.
As to whether or not this is a problem you have to ask yourself: is it a problem that someone knows the path to my document root. This is only a problem if you have a second vulnerability that makes this important such as (but not limited to) an arbitrary php execution or arbitrary file upload issue, but in those cases you should focus on fixing those vulnerabilities.
knaddison blog | Morris Animal Foundation
This has now been fixed in
This has now been fixed in Drupal 7.15 and an issue for 6.x is ready for testers at http://drupal.org/node/1576300
knaddison blog | Morris Animal Foundation
Thanks for the CVE
My first search turned up nothing, so I think that's a great improvement so we don't needlessly pester the security team :)