Script Folder Names are revealed to CWP users
Operating system version
OS X 10.6.8
Description of the issue
When calling getScriptNames via CWP the names of all script folders are revealed despite the fact that the user account accessing the database has script privileges set to "All No Access".
Steps to reproduce the problem
create a database with a user account privilege set that has scripts set to "All No Access" and extended privileges set to fmphp.
Write a php page which queries the database using that account and calls getScriptNames.
I expect an error to be returned or an empty object.
The names of all script folders are returned.
Script folders may contain information which is expected to be secure. There is no warning that I have seen that advices the developer that Folder names will be revealed to web users regardless of the security settings in user account privilege sets.
Databases which have been purchased from vendors will have signature folder names. If an exploitable weakness is discovered in the product the signature folder name may be used to identify the database for attack.
Not use folders.