PHPMailer Vulnerability Trap
- You cannot open a new topic into this forum
- Guests cannot post into this forum
msg# 1
Just applied the Protector v3.04 (which I love BTW) and it WHITE-SCREENED by development site.
PHP Version 4.3.9
MySQL Version 5.0.27
XOOPS Version 2.0.16
I traced the hangup on my system to 'postcheck.inc.php' @ 33 with the echo statement. I changed to die instead.
Suspect this may be a problem with my php.ini options; but not sure which one. Obviously we don't want exploit broadcast on a production. Any1 have idea on possible INI problem that isn't printing error to screen as designed; or is there a more graceful way of disclosing the error (e.g. in the Protector log).
TIA
Votes:6
Average:8.33
msg# 1.1
Is it "White screen" instead of a message against phpmailer?
Anyway, Protector does not make your site white by the setting of php.ini
If you mean the message against phpmailer, just overwirte class/mail/phpmailer* by security patch from xoops.org
Votes:6
Average:10.00
msg# 1.1.1
Yes it's White Screen instead of message against phpmailer.
I didn't think Protector would WHITE my site due to php.ini; but suspected that maybe I had some non-safe settings that might not allow the echo from within the function => a white screen.
BTW, I have patch for phpmailer already; but had setting in Preferences to use SendMail.
Votes:5
Average:8.00
msg# 1.1.1.1
Anyway, you'd better display the error message by debug mode.
Votes:8
Average:7.50
msg# 1.1.1.1.1
Dave_L
From: Virginia, USA
Posts: 35
Check these settings in php.ini: display_errors and log_errors.
If display_errors is Off and log_errors is On, then PHP diagnostics will be output to the PHP log file but not displayed.
For a public site, it's recommended to set display_errors = Off.
Votes:5
Average:8.00
msg# 1.1.1.1.1.1
Looks like it was my .INI debug.printing the errors.
Thanks all.
Votes:4
Average:7.50