Simple Machines Community Forum

SMF Development => Bug Reports => Fixed or Bogus Bugs => Topic started by: lwiz on November 18, 2018, 05:14:23 PM

Title: Security problem with SMF 2.0.15 + PHP 7.0/ 7.1
Post by: lwiz on November 18, 2018, 05:14:23 PM
If for some reason database is out of action, SMF 2.0.15 spits out the database username and password for everyone to see who opens the SMF board URL.

Caught this during a larger server update and luckily, as I was then able to change both quickly, but this is an extreme security issue.

-L
Title: Re: Security problem with SMF 2.0.15 + PHP 7.0/ 7.1
Post by: Illori on November 18, 2018, 05:29:03 PM
that is what php does, SMF has no control over php errors.
Title: Re: Security problem with SMF 2.0.15 + PHP 7.0/ 7.1
Post by: Looking on November 18, 2018, 06:19:39 PM
Hide all errors?
Title: Re: Security problem with SMF 2.0.15 + PHP 7.0/ 7.1
Post by: lwiz on November 18, 2018, 06:24:21 PM
Yeah pilot error here, had the errors setting left to shown after a late night testing session I guess :/

Jumped the gun though as I saw someone else telling the same problem with their board, so not the only one then having bit iffy php.ini

-L