I wonder if remote database connection would work from cpanel with this info

Several things about this strike me as wrong.

This post is a bad idea for a lot of reasons.

That kind of information shouldn't be made readily available, whether you have beef - or no beef with Boonex.

I wouldn't do this to my worst enemy. I wouldn't even consider it.

+1 I wouldn't want this to happen to my site!

Agreed, I don't see the point of displaying the output, isn't that what the bug report email is for?

Magnussoft that is quite a bold thing to do with the info in that post.  It happend to me as well and begs the QUESTION.......How in the heck could anything (even a bug report) allow a person to be able to see a DBNAME and PASSWORD.   FOR ALL THE OBVIOUS REASONS imagine you get off and running after making adjustents for years and BECAUSE of something like this, a person goes in and wipes you out and I mean WIPES YOU OUT..........This is obvious a MAJOR SECURITY ERROR and needs IMMEDIATE ATTENTION BY BOONE TO CORRECT any possible ability for anyone to see this type of information is insane. Maybe using the very feature that is used on members passwords to encrypt the very words that would allow a person to destroy all that has been done in a HEARTBEAT.

Thank you for bring this out...........PLEASE ANY REPORT NO MATTER WHO IT GOES TO SHOUlD SHOW THiS VITAL INFORMATION.

IMHO

I'm with ya Mags.... I get these several times a week and have never been able to completely resolve it. I wonder about the security all the time.

sorry, I'm cutn&pastin. Have trouble doing 2 things at once.

I totally agree...It's really dumb to include the DB username/password into an error log report. no point!!!

LOL 'name and shame'.

Hats off to you Gladys, a bold move, I applaude you for it.

Sometimes no amount of nagging, bug reports or reasonable discussion seems to get anywhere with Boonex - every now and then you just have to 'up the ante' and make a bit more noise.

Hopefully they will now consider addressing this issue.

/DM

Just use a remote database client.

/DM

No point yes. But it should also not be a security risk. Administrators should not have their database servers setup to allow outside access anyway.

But i do agree, passwords do not belong in error reports.

R u saying you can stop that report from showing that with settings?

no bug  and yes you can stop it i posted how to here on forum quick search :)

with notepad create a file  called phperr.txt and upload it to the folder /inc/



now add this to your php.ini settings

display_errors = Off
display_startup_errors = Off
log_errors = On
error_log = /home/content/your/path/html/inc/phperr.txt
error_reporting = E_ALL

make sure u change the path :)

now all the errors will be saved to that file so you can view it anytime and
all your users get to see is database error and nothing else

 OMG I actually understand and appreciate that logic..........:)

yeah you're right about that but  it's not the end of the world :) as long there's something you can do about it

maybe someone should make a sticky post about this it might help

you are correct, this kind of information should not be made readily available, and i dont think it has to do with having a beef with boonex. This has been reported as a bug, and it was determined by those who make the decisions that this was not a problem. this is a clear demonstration that this is a problem, and it should be posted for boonex to realize that it is a problem with the script.

as you can see from the post, this has been reported and the response was that this was not a problem with the script, and in most cases the server was laid at fault. magnussoft is just pointing out that this is happening on the demo platform to which the boonex developers claim this reported error was not a problem. it is clearly a problem.

this is the exact information that will be displayed from your site should there be a database error occur on your site. i think he has every right to post this and it should be made known and not in a private matter. because now those who are here disagreeing with the post, would be befuddled if this were to happen to their site and it was a known issue which had been reported and covered up.

I wouldnt consider a "sticky note " to be a solution to a security breach. this needs to be fixed, and a security patch released.

guys, can we get up off the sooperstars and webhome or whatever the new adventure is long enough to square away this security issue>

Regards,

DosDawg

prozac,

do you seriously consider this not being  a bug? if the script is spitting out an error that includes your dbase connection string, that is a bug, moreso, its a security breach. and should be fixed and should have been fixed when it was first reported.

even if your patch works, which i havent tried it, but even if your patch works, why would boonex not implement this as part of the 7.0.1 release, because this was reported and considered invalid upon the release of 7.0.0

andrew, anton, aramis, and the rest of the developement crew, please take a look at this because this is a serious issue and it can no longer be denied as being a problem.

i think a mass mail should be sent out, and a patch released immediately, if nothing more than providing prozacs patch for the short term, but you guys need to get this fixed.

Regards,

DosDawg

1. Do i consider this as a bug? 40% Yes  &  60% NO
2. Does this patch work? yes it works i have it on my sites
3. Why was this ignored by boonex?....(waiting on an answer....)

I can't just let this one go.......when this happened to me the first time the report was there with ALL MY GLORY hanging out when a girl from Gogirly.com say's and I quote who did you piss off that would allow a report for the entire world to see your username and database password.  ARE YOU KIDDING the Dawg/Magnusoft are right again this is not a bug IT IS ABOUT the biggest contravene of SECURITY I HAVE EVER SEEN?  I liken it to you walking up to an ex/con and handing him/her the keys to your house and then wonder why you woke up with everything gone............

Thank you for the work around..........

Don't forget to make the text file writeable eh?

@DosDawg

My problem with the post was only that he posted the database connection info. I don't think that is necessary to make the point.

I agree that this is something that should be dealt with, but handing out database login details to the world in general isn't a good idea.

Two wrongs don't make a right.

I stand by my post.

I agree with Magnus. Boonex is notorious for not listening unless you hit them in the face with a dodge ball

@theguypc,

you are right to a degree on that bro, and that is the point exactly is that nobody's database information should be put out on the internet, and that is what this issue has caused, and it was reported and deemed as an invalid report and closed.

so the object here was not do expose the credentials on the site, as much as it was to provide factuals that this is going on, and now even going on on their own servers.

I hope they will look into this and get it patched up.

Regards,

DosDawg

The silence from Boonex about this is deafening, I have to admit.

In Australia, they probably thought it was just dingoes.

 That explains how Olivia Newton John's former partner slipped off so easily. ha ha

Like they say, if you picked up Europe & dropped in there center of Australia, you would never find it again, no matter how loud you scream.

Boonex has no excuse, they are not in the center of Australia.

You can disable that output by setting the DB_FULL_VISUAL_PROCESSING to false.

Open up BxDolDb.php in the inc/classes folder.

At the top of the page at line 25 change

define( 'DB_FULL_VISUAL_PROCESSING', true);

to

define( 'DB_FULL_VISUAL_PROCESSING', false);

This will inhibit the output.

If you want to take it a step further, you can add some code to gracefully display a nice message or send them off to another part of the site that can give them more information.

Yes. When I saw your post I was livid. I am baffled why it would ever be set to true as the default. I think it got buried and they forgot about it.

This has been getting some airtime elsewhere too -

http://www.modmysite.com/general-issues-comments-questions/10491-db_full_visual_processing.html#post39764

Funny that the fix comes from outside of Boonex.

Gladys - you say this is a ticking timebomb - in reality there will be some repeatable way of triggering this - commonly known as a bug (BTW - there were over 300 of them in the last release LOL) - and when someone figures out how, it will become a post on milw0rm or some other h4cker site, and before you know it, every script kiddie out there will be searching for Dolphin 7 sites so that they can add an admin account and change your home page to '0wnd by wh0ev4.'

Just the same as happened with version 6.1

/DM

PS - REALLY surprised that this post is still up after all this time - obviously Boonex cannot check in that frequently.

Maybe they are too busy fixing bugs.

LOL

/DM

Just has another thought - Andrew - you should ask the independent security Guru(s) who did an audit on Dolphin, to refund your money back... they obviously did a pretty crappy job - lol.

/DM

PS - nice spin BTW.

Been following this for a while now. As Boonex still has not responded, in forums or via blog, I thought I would bump it for the hell of it.

BUMP!

Has anybody thought to put this in the bug forum?

Here's another ticket that can be followed: http://www.boonex.com/trac/dolphin/ticket/2046

Bump

It's not a bug..... It's a feature!

Freedom.

Freedom of information - yours, mine, and every one's

@Magnussoff: This was meant to keep this topic on the front page. Did you give me a -1 vote?

 I fixed it for ya  ; )

Well let's see isn't the entire point we ALL don't like the idea of our Database information out in PUBLIC and anyone who had a problem with you posting this because of the very nature of the information contained within helps make your very point and agrees with your thoughts..........

There... Just being part of this thread got everyone a positive vote (except me, can't vote for myself, lol)

Starting to look like they may have forgotten they also have a forum.

Time to break out the cookies and YooHoo.

We may as well be comfy while keeping this thread alive. ; )

Besides, I just like cookies.

Maybe you checked if DB_FULL_VISUAL_PROCESSING is on or off now... but perhaps you have others doing coding for you, or adding modifications, or whatever, and you are concerned they may turn it on, and not tell you, or forget to turn it back off again when they are done.

You can add an indicator to your administrator panel Dashboard. I stuck it in the first block (with the admin info) rather than making a new block.

You can see the modification (and check the screen shots if you wish), in this post on MMS.
http://www.modmysite.com/general-issues-comments-questions/10491-db_full_visual_processing.html#post39771

It is easy to add - should take 2 minutes - but at least now - every time you visit the admin dashboard, you know what the setting is.

Smoge

Now this is what you call Unity.

@Magnussoft: It's good of you to bring this up. I just think boonex should have fixed this instead of having members here come up with temporary fixes. I have been with aewebworks (aedating), boonex (dolphin) for years and they keep making mistakes. I still haven't been able to get my sites up 100%. This database error is a huge security risk.

>> This database error is a huge security risk.

It is actually a nice feature.... but gone bad. ;)

The VISUAL PROCESSING is really nice when you are doing development.... it saves a lot of time compared to checking an email (or looking at a file) while you are developing.

The main point is - that it should be disabled if you are not using it for development work or debug.

It is why I suggested the indicator in the Dashboard.

It is not an EVIL thing... VISUAL PROCESSING is actually a cool "feature", if used correctly.

As for the file method - may I suggest, in the public_html .htaccess, you add

<FilesMatch "errorlog|error_log$">
Order Allow,Deny
Deny from all
</FilesMatch>

and don't use phperr.txt, but instead use errorlog (or error_log)... a bit more standard.

The .htaccess snipit, if put in your main public_html .htacces file, will "protect" all the errorlog or error_log files on your site.  They tend to show up in strange places from time to time.  ;)

Smoge

Wow, that phperr.txt file sure got full quick... Check this... (just a little of it)

[29-May-2010 01:43:40] PHP Warning:  mail() [<a href='function.mail'>function.mail</a>]: Could not execute mail delivery program '/usr/sbin/sendmail -t -i' in /home/skyforum/public_html/inc/utils.inc.php on line 434
[29-May-2010 01:43:40] PHP Warning:  mail() [<a href='function.mail'>function.mail</a>]: Could not execute mail delivery program '/usr/sbin/sendmail -t -i' in /home/skyforum/public_html/inc/utils.inc.php on line 434
[29-May-2010 01:43:40] PHP Warning:  mail() [<a href='function.mail'>function.mail</a>]: Could not execute mail delivery program '/usr/sbin/sendmail -t -i' in /home/skyforum/public_html/inc/utils.inc.php on line 434
[29-May-2010 01:45:02] PHP Fatal error:  Out of memory (allocated 1835008) (tried to allocate 26 bytes) in /home/skyforum/public_html/cache/sys_options.php on line 368
[29-May-2010 01:45:02] PHP Warning:  PHP Startup: Unable to load dynamic library '/usr/local/lib/php/extensions/no-debug-non-zts-20060613/ffmpeg.so' - libavcodec.so.52: cannot map zero-fill pages: Cannot allocate memory in Unknown on line 0

Then there's this:

[29-May-2010 01:45:02] PHP Fatal error:  Out of memory (allocated 262144) (tried to allocate 19456 bytes) in /home/skyforum/public_html/denverpotholes.com/cache/sys_options.php on line 66
[29-May-2010 01:45:02] PHP Fatal error:  Out of memory (allocated 2359296) (tried to allocate 19456 bytes) in /home/skyforum/public_html/usspeedwayseries.com/inc/languages.inc.php on line 361
[29-May-2010 01:45:17] PHP Warning:  mail() [<a href='function.mail'>function.mail</a>]: Could not execute mail delivery program '/usr/sbin/sendmail -t -i' in /home/skyforum/public_html/inc/utils.inc.php on line 434
[29-May-2010 13:36:18] PHP Warning:  filesize() [<a href='function.filesize'>function.filesize</a>]: stat failed for /home/skyforum/public_html/modules/boonex/photos/data/files/489_rt.jpg in /home/skyforum/public_html/modules/boonex/photos/classes/BxPhotosModule.php on line 80
[29-May-2010 13:36:18] PHP Warning:  readfile(/home/skyforum/public_html/modules/boonex/photos/data/files/489_rt.jpg) [<a href='function.readfile'>function.readfile</a>]: failed to open stream: No such file or directory in /home/skyforum/public_html/modules/boonex/photos/classes/BxPhotosModule.php on line 81
[29-May-2010 13:36:18] PHP Warning:  filesize() [<a href='function.filesize'>function.filesize</a>]: stat failed for /home/skyforum/public_html/modules/boonex/photos/data/files/490_rt.jpg in /home/skyforum/public_html/modules/boonex/photos/classes/BxPhotosModule.php on line 80
[29-May-2010 13:36:18] PHP Warning:  readfile(/home/skyforum/public_html/modules/boonex/photos/data/files/490_rt.jpg) [<a href='function.readfile'>function.readfile</a>]: failed to open stream: No such file or directory in /home/skyforum/public_html/modules/boonex/photos/classes/BxPhotosModule.php on line 81
[29-May-2010 13:37:30] PHP Warning:  filesize() [<a href='function.filesize'>function.filesize</a>]: stat failed for /home/skyforum/public_html/modules/boonex/photos/data/files/489_rt.jpg in /home/skyforum/public_html/modules/boonex/photos/classes/BxPhotosModule.php on line 80
[29-May-2010 13:37:30] PHP Warning:  readfile(/home/skyforum/public_html/modules/boonex/photos/data/files/489_rt.jpg) [<a href='function.readfile'>function.readfile</a>]: failed to open stream: No such file or directory in /home/skyforum/public_html/modules/boonex/photos/classes/BxPhotosModule.php on line 81
[29-May-2010 13:37:30] PHP Warning:  filesize() [<a href='function.filesize'>function.filesize</a>]: stat failed for /home/skyforum/public_html/modules/boonex/photos/data/files/490_rt.jpg in

Anyone got any ideas what these errors are from?

OOH BUG!

img 489 and 490 are both .gifs. Why would the system be assigning a jpg. extension?

@SkyMan
i did have some errors myself  but after upgrading to 7.0.1 they all vanished :)
looks like you're running out of memory  increase it in php.ini         after that open that phperr.text  select all delete and save  see if helps

[29-May-2010 13:36:18] PHP Warning:  readfile(/home/skyforum/public_html/modules/boonex/photos/data/files/490_rt.jpg) [<a href='function.readfile'>function.readfile</a>]: failed to open stream: No such file or directory in /home/skyforum/public_html/modules/boonex/photos/classes/BxPhotosModule.php on line 81

could it be that photo was deleted

I've got my php memory set to -1 (unlimited). As far as the image goes, you are right. I uploaded the same image 3 times during a test, two of them failed to upload. They still show as blank images in the test albums...

frikkin weird if ya ask me.

I also had to do a restart on my RMS yesterday. Somehow, I think it's all related, Thanks Pro_

I think I like your fix (Prolaznik) better than the one One20 presented. Not that his isn't good because it is, I just like being able to peruse this error file.

I hate to say it, but I'm thinking the reason for that would be 'job security'. People will always need their services/repairs/fixes/support.

Ah..didn't know that. There may be a theme to consider, so agreed..awareness is good.

They can hear you scream in Australia - they just don't care..........

From Jenn the Australian!

Thank you heaps for the email "Dolphin Alert - Prevent Display Of Sensitive Info" from support@modmysite or I wouldn't have been aware of this immediately . Thanks for the fix to the problem too.

This debug info is shown because FULL DEBUG MODE is enabled.

This mode is TURNED OFF BY DEFAULT !

So, there is no security risk !

But for sure you can check inc/classes/BxDolDb.php file and make sure that you have the following string in the beginning of file:

define( 'DB_FULL_DEBUG_MODE', false );

but NOT this one below:

define( 'DB_FULL_DEBUG_MODE', true );

I would like a vote as well :)

maybe on your side but not in the download versions you gave us

The DB_FULL_DEBUG_MODE constant is set false to mine.

The the problem is that the $out variable is echo'd within the if statements.

AlexT, the constant DB_FULL_DEBUG_MODE is nested within the DB_FULL_VISUAL_PROCESSING and will therefore always execute. You have them switched around. And regardless, the the $out variable is echo'd.

To be safe you need to comment out the $out variable and comment all the echo in the DB_FULL_DEBUG_MODE if condition but add an additional echo ""; to avoid the class from throwing an error.

Wow!

I felt the rush of air as that one went over my head!

It's all useless info unless people understand it and it gets officially addressed. I might as well have written blah blah blah.

Anyway, it's possible to fine tune this script and have it polished up and working. It would be good if BoonEx can take a look at this problem and acknowledge it. There might be other dependencies that have been overlooked.

If required, I will post my fixes and mods so others can use them.

That would be awesome Magnussoft and thank you.

I've contacted AlexT with a brief note and some observations I've made. Hopefully some insight will be given.

HOLY CRAP!!!  I applied prolaznik's fix yesterday and just checked my phperr.txt file.  I got this error:

[29-May-2010 23:28:26] PHP Warning:  PHP Startup: Unable to load dynamic library '/usr/local/lib/php/extensions/no-debug-non-zts-20060613/phpshield.5.2.lin' - /usr/local/lib/php/extensions/no-debug-non-zts-20060613/phpshield.5.2.lin: cannot open shared object file: No such file or directory in Unknown on line 0
[29-May-2010 23:28:26] PHP Warning:  PHP Startup: Unable to load dynamic library '/usr/local/lib/php/extensions/no-debug-non-zts-20060613/ffmpeg.so' - /usr/local/lib/php/extensions/no-debug-non-zts-20060613/ffmpeg.so: cannot open shared object file: No such file or directory in Unknown on line 0

Only thing - I GOT IT NEARLY 500 TIMES - PRACTICALLY EVERY 3 MINUTES!!!  WHAT'S UP WITH THAT?

I had new install of 7.0 and used the upgrade patch to 7.01 and mine was set as define( 'DB_FULL_DEBUG_MODE', true );

That is really bad as I do have a live site with over 300 members and I am not experienced enough to fully understand the dolphin site, and the risks that I have been exposed to and without help from forum members my site would have been dead in the water long ago, considering the help I was given this time on this Security Risk, was given outside of Boonex from someone who cared enough to email me.  I am greatful to the members that have given me help and support over the past and I am sure will be there for me in the future. The future of my success greatly depends on you guys here today that give a damn that someone like me who doesn't know PHP can have a succesful Site.

Jennifer .. xx

@ Magnussoft  Do you have any idea what that error is about and what I can do to fix it?  I can't imagine this is good!

Thank you One20 prolaznik Magnussoft for contributed to this update. Thanks Mag for providing it for download :)

Jennifer

Thank you now I've applied this Mag. Trust me you'd have heard me screaming LOL from Australia if someone hacked my site because of this risk. Dingo's be running from me, I've put every waking moment into my site and lots of money. Something so simple to fix shouldn't be OVERLOOKED. Oh right its not a risk. Silly me its a feature.......

Jennifer

So what you are saying is that there is no security risk??

Are you REALLY sure about that????

C'mon, just take a second to think about What you have just said...

Irrespective of whether the cause is enabled by default or not, this verbose report echo's the database's name, username and password to the browser. Which means that if you choose to use this for debugging / testing purposes - your site is at risk.

Saying that it is not a security issue is simply not true.

Basic site security 101 - never store passwords in plain text - never echo sensitive data direct to browser

Alex - please do a proper job for once - there is no reason to echo this info to the browser at all - it serves no purpose. Your response here, seems to be typical of how bugs are handled in general - put quite simply - it's half a job, as it does not work in all situations.

From now on I am going to call you 'Arthur'. This is a name of endearment that we give to people in my industry who do half a job (half-a).

/DM

Ok, define('DB_FULL_DEBUG_MODE',) was already set to false

and I just set ('DB_FULL_VISUAL_PROCESSING',)to false also

Is this correct?

Thanks

Derrick

Thanks Magnusoft!

I havent added the extra code yet. where exactly should that be placed(of course if I just go back and read the "read me file" from your down load again, I'm sure its there!LOL

As always Thanks so much! My site is active with members, and We definitely can't have the security issues!

If it wasn't for you guys my site would have never got off the ground!

Derrick

Well, the fix that I instituted did not work. I now get all the details in the error file as well as the complete database dump into my emails.

 Should I remove the fix that Prolaznik suggested before applying this patch. I kind of like having that error file to look at.

 That's why you're the coder and I'm the tow truck driver. I will take your suggeston as gospel. Thank you.

BTW, I do want to make one observation. You change avatars like I change clothes

It works as I described before:

If FULL DEBUG MODE is enabled, then it will output all the debug information on into browser window.

If FULL DEBUG MODE is disabled it will output "Database query error" error message only, without any sensitive information printed.

So all you need is to set DB_FULL_DEBUG_MODE to false.

The reason it can be set to true that some developer who investigated some issue on your site set this value to see the exact error and debug backtrace and forgot to change it back. If you ask someone to have  a look at your site, make sure that they change this value back after investigation is completed.

My cron daemon always emails me with the debug info. If the developer has the cron job setup correctly, I don't see the need to enable DB_FULL_DEBUG_MODE.

On the other hand, the debug info within the email also includes the db credentials in plain text, which is still quite risky.

Arthur, this still does not answer why it is necessary to echo sensitive data to the browser.

This still exposes your site when developers are testing - this is not acceptable.

Your solution is no solution at all, as it does not work in all cases.

/DM

Some of the early beta's or rc's for d7 I noticed some sites had a database error and I did see their database name, database user, and database password in plain text in my browser. At the time I mentioned it the response was basically no big deal. Of course I don't recall the actual version of beta, rc, or otherwise but people were using it as a live site despite the boonex disclaimer that they shouldn't or to do so at their own risk. I would be pissed if any sensitive info was displayed in a browser so I can understand the concern. Never hurts to check this file setting and verify or check if possible with a database query error in your web browser. I don't see any harm in pointing out a potential security concern or issue for further investigating by others as well as Boonex.

OK - gonna bump this one back up - I can confirm that this is still happening on my site even with the settings for DB_FULL_DEBUG_MODE and DB_FULL_VISUAL PROCESSING disabled.

Currently looking into it but this is most definitely still an issue.

/DM

display_errors = off is not a requirement for dolphin.

Still testing to confirm root cause at moment.

Pretty sure I have a solution, and yes this problem is still very much an issue.

/DM

OK solution is this...

Comment out whole genMySQLErr function.

The issue is caused by the use of the debug_backtrace() function.

debug_backtrace() is a PHP system function and so when used as it is in the error handler holds all current vars. There is no way to selectively filter out specific variables such as passwords etc.

The safest solution is basically not to use it at all. Using it for email debugging as Arthur is suggesting still exposes the risk of the contents of debug_backtrace() being dumped to the browser in the event of something like an sql engine error - this can easily be brought on by something along the lines of a DOS attack (this has just happened to my site).

/DM

Hello Everyone

Thank's 4 this but im having problem uploading the file to inc from my host or from filezilla

Host error : Can't open that file: Permision denied

Filezilla error : Critical file transfer error

any idead

LOL  That is a very ambiguous comment. Things do not just 'leak'. You must have been brainwashed by Arthur.

1. display_errors = off is not a Dolphin requirement - never has been. (or it would say so in the requirements)
   
2. Even if it was - it is overridden in header.inc.php and set to E_ALL

(can you see see the source of the 'leak' ??)

Anyhows...

There is something not quite right with the genMySQLErr function in BxDolDb.php. My Dolphin site was also under a DOS attack last night, which meant that anybody trying to access it would get the verbose error message  we've been discussing. I was able to suppress the error messages by commenting out the whole genMySQLErr function.

Things to note:

• With both of the conditional statements for DB_FULL_VISUAL_PROCESSING and DB_FULL_DEBUG_MODE commented out and set to false, the backtrace still displayed as formatted within those statements. (queue twilight zone music)
  
• The only way I could get it to stop was to comment out the whole function.

It does not make complete sense to me, and with no amount of digging, can I find out the mechanism by which debug_backtrace() is invoked, and why the issue is still present. I would like to say that in this case, calling it invokes it, but I cannot confirm this (and do not entirely believe this to be the case).

At any rate, I believe that there is still a (very obvious) issue here.

/DM

Magnus.

You're missing the point.

I am not here looking for help in fixing my problem - I am more than capable of fixing this myself.

I am here simply to give a heads up to others who are also affected by this, and to try to get a proper fix instigated within the core if that is what's needed. It's great that you have addressed this issue for your site, but that does not really help anyone else.

There are others here that do not have the knowledge or capability to fix this themselves, or the cash to pay a dev to do it for them.

There is clearly still an issue here as display_errors is set to E_ALL in header.inc.php, which effectively overrides any server setting. This will cause the issue originally witnessed irrespective of what DB_FULL_DEBUG_MODE and DB_FULL_VISUAL PROCESSING is set to.

As the official Boonex fix to this issue was to ensure that DB_FULL_DEBUG_MODE was disabled - and this clearly does not work for the reason mentioned above. So IMHO there is still an issue.

I do not contribute to this community for selfish reasons, I really do have more important things to do with my time. I simply put this info here for the benefit of others.

/DM

Then perhaps you should clarify it.

For the benefit of all

That's exactly my point.

As I said before, if anyone believes this is an actual issue, then that is their choice. Even if it is, I have taken the needed steps (not by following any suggestions here) so as this issue does not ever occur.

If you do not have anything worthwhile to say, why say anything??

In saying what you have said above - you've simply devalued what I have posted.

I think that this is a serious issue, and even if your original post was not quite on the mark, it has highlighted that there is still a problem.

I will report this as a bug. I am however interested to hear what Boonex has to say on this matter.

/DM

Thank's Magnussoft

Why?

Removing them simply ruins the conversation, of which there is still value - there are solutions to other issues here, which are of value to those wishing to improve the security of their site- remove your posts and the context of all of this is lost.

You've already been man enough to admit you might have made an error, I do not see the need to remove your posts as well.

/DM

The same thing happen to me

Wow. they actually edited the content?

Where do I find the php.ini file to make the necessary changes as suggested below?

Posts removed.

Childish!

/DM

This site don't have no respect for members that's is one of the reason why the site is getting attack

because someone realy hate boonex and want to pay back. if boonex developers pr admins be nice with people and respond all the topic or fixe all the bugs i know that will never happen but for me is no reaso for a persona to attack a website i will be doing better stuff than that

We Love Boonex