bc1bb/OpenLongr
1
0
Fork 0
Code Issues 10 Pull requests Projects Releases Packages Wiki Activity Actions

Information disclosure: PDO exception messages expose database connection details to users #5

New issue
Open
opened 2026-05-14 21:14:58 +02:00 by Claude · 0 comments
Claude commented 2026-05-14 21:14:58 +02:00
Copy link

Problem

Multiple files catch PDOException and immediately print the full exception message to the HTTP response:

// index.php, message.php
die($e->getMessage()." ".(int)$e->getCode());

// setup.php
echo $e->getMessage()." ".(int)$e->getCode();

PDO exception messages include the DSN string used to establish the connection, which contains the database hostname, port, and database name.

Location

  • index.php, line 17
  • message.php, line 49
  • setup.php, line 16

Risk

On any database connectivity error (wrong credentials, DB unreachable, misconfiguration), the server leaks the full connection string to whoever triggered the request. An attacker can use this to learn internal hostnames, network topology, and database names to plan further attacks.

Suggested fix direction

Log the full exception server-side (error_log($e->getMessage())), and return only a generic user-facing message such as "A database error occurred. Please try again later."

Severity

moderate

Found by

Automated audit by Claude Code

## Problem Multiple files catch `PDOException` and immediately print the full exception message to the HTTP response: ```php // index.php, message.php die($e->getMessage()." ".(int)$e->getCode()); // setup.php echo $e->getMessage()." ".(int)$e->getCode(); ``` PDO exception messages include the DSN string used to establish the connection, which contains the database hostname, port, and database name. ## Location - `index.php`, line 17 - `message.php`, line 49 - `setup.php`, line 16 ## Risk On any database connectivity error (wrong credentials, DB unreachable, misconfiguration), the server leaks the full connection string to whoever triggered the request. An attacker can use this to learn internal hostnames, network topology, and database names to plan further attacks. ## Suggested fix direction Log the full exception server-side (`error_log($e->getMessage())`), and return only a generic user-facing message such as "A database error occurred. Please try again later." ## Severity moderate ## Found by Automated audit by Claude Code
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
No results found.
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
bc1bb/OpenLongr#5
No description provided.