Drupal errors reveal private implementation details to the world
Aren Cambre - July 4, 2008 - 20:18
| Project: | Drupal |
| Version: | 6.x-dev |
| Component: | base system |
| Category: | bug report |
| Priority: | critical |
| Assigned: | Unassigned |
| Status: | active |
Description
Drupal is revealing private implementation details to the world whenever it has an error. Specifically, a malicious visitor could gain these details from an error message:
*Full path to your Drupal site
*Names of enabled modules.
*Names of variables or functions.
I have attached a sample error that shows how all of the three was revealed to an anonymous user.
It is commonly accepted security practice to make error messages circumspect except to trusted users. This should be the default behavior. See http://www.owasp.org/index.php/Improper_Error_Handling for a case in point.
By default, error details should only be displayed to Drupal administrators or other users designated by the site administrator.
| Attachment | Size |
|---|---|
| drupal_error.png | 155.76 KB |
