If PHP is set to display errors, then anyone can enter a faulty URL causing PHP to give up valuable information about directory structures and so on.

(Can someone add instructions on where to turn this off please).

See also

• Using Moodle Security and Privacy forum
• Using upgrade to 1.9.2 has PHP setting display_errors message Moodle forum discussion