463719 - (WH-1652031) Information leakages on tiki-browse_categories.php, tiki-my_tiki.php, and tiki-listpages.php

Status: VERIFIED FIXED

(support.mozilla.org :: Knowledge Base Software, task)

Description

[Reed Loden [:reed]]

http://support.mozilla.com/tiki-browse_categories.php?locale=en-US&find=&deep=off&type=whscheck('\";)&parentId=8&offset=20&sort_mode=name_asc

http://support.mozilla.com/tiki-browse_categories.php?locale=en-US&find=char(39)&deep=off&type=&parentId=8&offset=20&sort_mode=name_asc

http://support.mozilla.com/tiki-my_tiki.php?sort_mode=PHhzc3doPg%3D%3D%0A

http://support.mozilla.com/tiki-my_tiki.php?sort_mode=[]<xsswh>

http://support.mozilla.com/tiki-browse_categories.php?locale=en-US&find=char(41)&deep=off&type=&parentId=8&offset=20&sort_mode=name_asc

http://support.mozilla.com/tiki-browse_categories.php?locale=en-US&find=char(45,45)&deep=off&type=&parentId=8&offset=20&sort_mode=name_asc

http://support.mozilla.com/tiki-browse_categories.php?locale=en-US&find=%3Cxsswh%3E&deep=off&type=&parentId=8&offset=20&sort_mode=name_asc

http://support.mozilla.com/tiki-my_tiki.php?sort_mode=%uff1cxsswh%uff1e

http://support.mozilla.com/tiki-browse_categories.php?locale=en-US&find=PHhzc3doPg==&deep=off&type=&parentId=8&offset=20&sort_mode=name_asc

http://support.mozilla.com/tiki-browse_categories.php?locale=en-US&find=char(59)+char(45)+char(45)&deep=off&type=&parentId=8&offset=20&sort_mode=name_asc

Comment 1

[Reed Loden [:reed]]

http://support.mozilla.com/tiki-browse_categories.php?locale=en-US&find=&deep=off&type=<?importwhs?>&parentId=8&offset=20&sort_mode=name_asc

http://support.mozilla.com/tiki-browse_categories.php?locale=en-US&find=&deep=off&type=<whscheck>&parentId=8&offset=20&sort_mode=name_asc

http://support.mozilla.com/tiki-browse_categories.php?locale=en-US&find=char(119)%2Bchar(104)%2Bchar(115)%2Bchar(100)%2Bchar(98)%2Bchar(116)%2Bchar(101)%2Bchar(115)%2Bchar(116)&deep=off&type=&parentId=8&offset=20&sort_mode=name_asc

http://support.mozilla.com/tiki-browse_categories.php?locale=en-US&find=%26%23x3C%3B%26%23x78%3B%26%23x73%3B%26%23x73%3B%26%23x77%3B%26%23x68%3B%26%23x3E%3B%0A&deep=off&type=&parentId=8&offset=20&sort_mode=name_asc

http://support.mozilla.com/tiki-my_tiki.php?sort_mode=%u00ABxsswh%u00BB

http://support.mozilla.com/tiki-my_tiki.php?sort_mode=+ADw-xsswh+AD4-

http://support.mozilla.com/tiki-browse_categories.php?locale=en-US&find=%26%2360%26%23120%26%23115%26%23115%26%23119%26%23104%26%2362%0A&deep=off&type=&parentId=8&offset=20&sort_mode=name_asc

http://support.mozilla.com/tiki-browse_categories.php?locale=en-US&find=char(119%2C104%2C115%2C100%2C98%2C116%2C101%2C115%2C116)&deep=off&type=&parentId=8&offset=20&sort_mode=name_asc

http://support.mozilla.com/tiki-browse_categories.php?locale=en-US&find=&deep=off&type=%00<whscheck>&parentId=8&offset=20&sort_mode=name_asc

http://support.mozilla.com/tiki-browse_categories.php?locale=en-US&find=&deep=off&type=&parentId=8&offset=20&sort_mode=10030613-ASCII(2)

http://support.mozilla.com/tiki-browse_categories.php?locale=en-US&find=&deep=off&type=&parentId=8&offset=20&sort_mode=</whs/%20/STYLE=a:expres/**/sion>

http://support.mozilla.com/tiki-browse_categories.php?locale=en-US&parentId=8&deep=off&type=char(13,10)X-Res:%20Split

http://support.mozilla.com/tiki-browse_categories.php?locale=en-US&parentId=8&deep=off&type='%20STYLE='background-image:%20x(a:whs())

http://support.mozilla.com/tiki-browse_categories.php?locale=en-US&parentId=8&deep=off&type=char(13%2C10)X-Res%3A%2520Split

http://support.mozilla.com/tiki-browse_categories.php?locale=en-US&find=&deep=off&type=&parentId=8&offset=20&sort_mode=char(39)

http://support.mozilla.com/tiki-browse_categories.php?locale=en-US&parentId=8&deep=off&type=whscheck('\";)

http://support.mozilla.com/tiki-browse_categories.php?locale=en-US&find=&deep=off&type=&parentId=8&offset=20&sort_mode=PHhzc3doPg==

http://support.mozilla.com/tiki-browse_categories.php?locale=en-US&find=&deep=off&type=&parentId=8&offset=20&sort_mode=char(119)%2Bchar(104)%2Bchar(115)%2Bchar(100)%2Bchar(98)%2Bchar(116)%2Bchar(101)%2Bchar(115)%2Bchar(116)

http://support.mozilla.com/tiki-browse_categories.php?locale=en-US&find=&deep=off&type=&parentId=8&offset=20&sort_mode=char(119%2C104%2C115%2C100%2C98%2C116%2C101%2C115%2C116)

http://support.mozilla.com/tiki-browse_categories.php?locale=en-US&find=&deep=off&type=&parentId=8&offset=20&sort_mode=%26%23x3C%3B%26%23x78%3B%26%23x73%3B%26%23x73%3B%26%23x77%3B%26%23x68%3B%26%23x3E%3B%0A

http://support.mozilla.com/tiki-listpages.php?offset=3000&sort_mode=char(119)%2Bchar(104)%2Bchar(115)%2Bchar(100)%2Bchar(98)%2Bchar(116)%2Bchar(101)%2Bchar(115)%2Bchar(116)&maxRecords=10

Comment 2

[Laura Thomson :laura]

Nelson, is there a setting where we show no information about errors to non-admins?

Comment 3

[E. Cooper [:ecooper]]

Attachment: Patch to mute error messages

This patch stops the leaks by placing the generic "An unexpected error has occurred!" message in their place if the 'tiki_error_reporting_verbose' preference is turned off.

I know we wanted to use the existing 'error_reporting_adminonly' pref, but I elected for a new preference for two reasons: 

1) 'error_reporting_adminonly' is useless in webroot/tiki-setup_base.php (where the errors are being thrown from) because you can actually check for admins permissions yet.

2) 'error_reporting_adminonly' is really for PHP errors like "Expected T_IF[...]".

Adding a new pref makes the distinction between PHP errors and arbitrary (in the sense that they aren't fatal to anything but form processing) tiki errors.

If we're really, really against adding a new pref, this can fall under the 'error_reporting_level' pref.

Comment 4

[E. Cooper [:ecooper]]

(In reply to comment #3)
> 1) 'error_reporting_adminonly' is useless in webroot/tiki-setup_base.php (where
> the errors are being thrown from) because you can actually check for admins
> permissions yet.

can't actually check*

Crazy typos.

Comment 5

[Nelson Ko [:nkoth]]

Comment on attachment 356848 [details] [diff] [review]
Patch to mute error messages

in r21587/r21588

Comment 6

[Stephen Donner [:stephend] Not actively reading bugmail]

Were some of these fixed already?

What I am looking for on pages such as http://support.mozilla.com/tiki-browse_categories.php?locale=en-US&parentId=8&deep=off&type=char%2813%2C10%29X-Res%3A%2520Split ?  I don't see a difference between that on prod and its staging URL http://support-stage.mozilla.org/tiki-browse_categories.php?locale=en-US&parentId=8&deep=off&type=char%2813%2C10%29X-Res%3A%2520Split, for instance.

(Others I clearly do see fixed, such as the difference between http://support.mozilla.com/tiki-listpages.php?offset=3000&sort_mode=char%28119%29%2Bchar%28104%29%2Bchar%28115%29%2Bchar%28100%29%2Bchar%2898%29%2Bchar%28116%29%2Bchar%28101%29%2Bchar%28115%29%2Bchar%28116%29&maxRecords=10, where it prints out, "Notice: invalid variable value: $_GET["sort_mode"] = char(119)+char(104)+char(115)+char(100)+char(98)+char(116)+char(101)+char(115)+char(116)" on production and merely "An unexpected error has occurred!" on staging.

Thanks in advance

Comment 7

[Nelson Ko [:nkoth]]

Yes, some of these were fixed earlier in bug 463152 

If you get "An unexpected error has occurred!" and nothing else, that is a good result.

Comment 8

[Stephen Donner [:stephend] Not actively reading bugmail]

Verified FIXED; checked all the URLs in comment 0 and comment 1 against staging (where on production they were outputting specific error messages), and they're now yielding "An unexpected error has occurred!"

Thanks, Nelson.

Comment 10

[Louis-Philippe Huberdeau]

I made it so the database error reporting follow the normal PHP error reporting rules.

Comment 11

[Will Kahn-Greene [:willkg] ET needinfo? me]

These bugs are all resolved, so I'm removing the security flag from them.