Potential information leakage with active debug mode

A place for security related announcements and discussions - please check this forum frequently!
Post Reply
cmb
Posts: 14225
Joined: Tue Jun 21, 2011 11:04 am
Location: Bingen, RLP, DE
Contact:

Potential information leakage with active debug mode

Post by cmb » Tue Sep 05, 2017 10:17 am

Hi everybody!

If debug mode is enabled, but _XHdebug.txt contains anything else than a single ASCII character, respective error messages are displayed not only in admin mode, thus causing information leakage.

This issue most likely affects all CMSimple_XH versions so far.

So ensure that debug mode is disabled, or that _XHdebug.txt contains only a single ASCII character!

See also https://github.com/cmsimple-xh/cmsimple-xh/issues/293.
Christoph M. Becker – Plugins for CMSimple_XH

Post Reply