Projects ⇒ Bugs ⇒ #619: full path disclosure(undefined constant CPG_DEBUG) ⇒ CPG Dragonfly™ CMS
Bug #619 full path disclosure(undefined constant CPG_DEBUG)
Project: Dragonfly 9.0.3 -> 9.3 Category: Security
Submitted: Wednesday, August 24, 2005 (07:31:47) Modified: Monday, October 03, 2005 (03:08:30)
Status: Closed Assigned to:
PHP Version: 4.3.10 HTTPD Server: Apache 1.3

View/Vote Add Comment

by: alva
Use of undefined constant CPG_DEBUG - assumed 'CPG_DEBUG' in /includes/classes/cpg_debugger.php on line 104

The way things are now, many users will get a full path disclosure on their sites!

Reported many times in the forums and often answered with 'use 9.x config', which is unjustified in each and every case that I know of.

A once suggested fix is to put CPG_DEBUG between single quotes. It seems to work, at least the path disclosure stops.

Reproduce code:
// set of errors for which a trace will be saved
if ((is_admin() || CPG_DEBUG) && ($errno & $this->error_level)) {
if (ereg('mysql_', $errmsg)) {
global $db;
$filename = $db->file;
$linenum = $db->line;
$this->report[$filename][] = $errortype[$errno]." line $linenum: ".$errmsg;

Expected result:
I expect Dragonfly-coding to not lead to full path disclosure all over the sites of many shared hosting users.
by: alva
different solution by xfsunoles here
by: DJMaze
This bug has been fixed in the CVS.

Snapshots of the sources are packaged every 6 hours; this change
will be in the next snapshot. You can grab the snapshot at the
Downloads section.

Thank you for the report, and for helping us to make CPG-Nuke 9.0.3 -> 9.1 better.
User Info

Welcome Anonymous


Support for DragonflyCMS in a other languages: