Closed
Bug 463719
(WH-1652031)
Opened 16 years ago
Closed 16 years ago
Information leakages on tiki-browse_categories.php, tiki-my_tiki.php, and tiki-listpages.php
Categories
(support.mozilla.org :: Knowledge Base Software, task)
support.mozilla.org
Knowledge Base Software
Tracking
(Not tracked)
VERIFIED
FIXED
0.8.1
People
(Reporter: reed, Assigned: ecooper)
References
Details
(Whiteboard: tiki_bug, tiki_upstreamed)
Attachments
(1 file)
4.86 KB,
patch
|
nkoth
:
review+
|
Details | Diff | Splinter Review |
http://support.mozilla.com/tiki-browse_categories.php?locale=en-US&find=&deep=off&type=whscheck('\";)&parentId=8&offset=20&sort_mode=name_asc http://support.mozilla.com/tiki-browse_categories.php?locale=en-US&find=char(39)&deep=off&type=&parentId=8&offset=20&sort_mode=name_asc http://support.mozilla.com/tiki-my_tiki.php?sort_mode=PHhzc3doPg%3D%3D%0A http://support.mozilla.com/tiki-my_tiki.php?sort_mode=[]<xsswh> http://support.mozilla.com/tiki-browse_categories.php?locale=en-US&find=char(41)&deep=off&type=&parentId=8&offset=20&sort_mode=name_asc http://support.mozilla.com/tiki-browse_categories.php?locale=en-US&find=char(45,45)&deep=off&type=&parentId=8&offset=20&sort_mode=name_asc http://support.mozilla.com/tiki-browse_categories.php?locale=en-US&find=%3Cxsswh%3E&deep=off&type=&parentId=8&offset=20&sort_mode=name_asc http://support.mozilla.com/tiki-my_tiki.php?sort_mode=%uff1cxsswh%uff1e http://support.mozilla.com/tiki-browse_categories.php?locale=en-US&find=PHhzc3doPg==&deep=off&type=&parentId=8&offset=20&sort_mode=name_asc http://support.mozilla.com/tiki-browse_categories.php?locale=en-US&find=char(59)+char(45)+char(45)&deep=off&type=&parentId=8&offset=20&sort_mode=name_asc
Reporter | ||
Comment 1•16 years ago
|
||
http://support.mozilla.com/tiki-browse_categories.php?locale=en-US&find=&deep=off&type=<?importwhs?>&parentId=8&offset=20&sort_mode=name_asc http://support.mozilla.com/tiki-browse_categories.php?locale=en-US&find=&deep=off&type=<whscheck>&parentId=8&offset=20&sort_mode=name_asc http://support.mozilla.com/tiki-browse_categories.php?locale=en-US&find=char(119)%2Bchar(104)%2Bchar(115)%2Bchar(100)%2Bchar(98)%2Bchar(116)%2Bchar(101)%2Bchar(115)%2Bchar(116)&deep=off&type=&parentId=8&offset=20&sort_mode=name_asc http://support.mozilla.com/tiki-browse_categories.php?locale=en-US&find=%26%23x3C%3B%26%23x78%3B%26%23x73%3B%26%23x73%3B%26%23x77%3B%26%23x68%3B%26%23x3E%3B%0A&deep=off&type=&parentId=8&offset=20&sort_mode=name_asc http://support.mozilla.com/tiki-my_tiki.php?sort_mode=%u00ABxsswh%u00BB http://support.mozilla.com/tiki-my_tiki.php?sort_mode=+ADw-xsswh+AD4- http://support.mozilla.com/tiki-browse_categories.php?locale=en-US&find=%26%2360%26%23120%26%23115%26%23115%26%23119%26%23104%26%2362%0A&deep=off&type=&parentId=8&offset=20&sort_mode=name_asc http://support.mozilla.com/tiki-browse_categories.php?locale=en-US&find=char(119%2C104%2C115%2C100%2C98%2C116%2C101%2C115%2C116)&deep=off&type=&parentId=8&offset=20&sort_mode=name_asc http://support.mozilla.com/tiki-browse_categories.php?locale=en-US&find=&deep=off&type=%00<whscheck>&parentId=8&offset=20&sort_mode=name_asc http://support.mozilla.com/tiki-browse_categories.php?locale=en-US&find=&deep=off&type=&parentId=8&offset=20&sort_mode=10030613-ASCII(2) http://support.mozilla.com/tiki-browse_categories.php?locale=en-US&find=&deep=off&type=&parentId=8&offset=20&sort_mode=</whs/%20/STYLE=a:expres/**/sion> http://support.mozilla.com/tiki-browse_categories.php?locale=en-US&parentId=8&deep=off&type=char(13,10)X-Res:%20Split http://support.mozilla.com/tiki-browse_categories.php?locale=en-US&parentId=8&deep=off&type='%20STYLE='background-image:%20x(a:whs()) http://support.mozilla.com/tiki-browse_categories.php?locale=en-US&parentId=8&deep=off&type=char(13%2C10)X-Res%3A%2520Split http://support.mozilla.com/tiki-browse_categories.php?locale=en-US&find=&deep=off&type=&parentId=8&offset=20&sort_mode=char(39) http://support.mozilla.com/tiki-browse_categories.php?locale=en-US&parentId=8&deep=off&type=whscheck('\";) http://support.mozilla.com/tiki-browse_categories.php?locale=en-US&find=&deep=off&type=&parentId=8&offset=20&sort_mode=PHhzc3doPg== http://support.mozilla.com/tiki-browse_categories.php?locale=en-US&find=&deep=off&type=&parentId=8&offset=20&sort_mode=char(119)%2Bchar(104)%2Bchar(115)%2Bchar(100)%2Bchar(98)%2Bchar(116)%2Bchar(101)%2Bchar(115)%2Bchar(116) http://support.mozilla.com/tiki-browse_categories.php?locale=en-US&find=&deep=off&type=&parentId=8&offset=20&sort_mode=char(119%2C104%2C115%2C100%2C98%2C116%2C101%2C115%2C116) http://support.mozilla.com/tiki-browse_categories.php?locale=en-US&find=&deep=off&type=&parentId=8&offset=20&sort_mode=%26%23x3C%3B%26%23x78%3B%26%23x73%3B%26%23x73%3B%26%23x77%3B%26%23x68%3B%26%23x3E%3B%0A http://support.mozilla.com/tiki-listpages.php?offset=3000&sort_mode=char(119)%2Bchar(104)%2Bchar(115)%2Bchar(100)%2Bchar(98)%2Bchar(116)%2Bchar(101)%2Bchar(115)%2Bchar(116)&maxRecords=10
Reporter | ||
Updated•16 years ago
|
Summary: Information leakages on tiki-browse_categories.php and tiki-my_tiki.php → Information leakages on tiki-browse_categories.php, tiki-my_tiki.php, and tiki-listpages.php
Reporter | ||
Updated•16 years ago
|
Group: websites-security
Reporter | ||
Updated•16 years ago
|
Group: websites-security
Updated•16 years ago
|
Assignee: nobody → laura
Target Milestone: --- → 0.8.1
Comment 2•16 years ago
|
||
Nelson, is there a setting where we show no information about errors to non-admins?
Updated•16 years ago
|
Assignee: laura → smirkingsisyphus
Assignee | ||
Comment 3•16 years ago
|
||
This patch stops the leaks by placing the generic "An unexpected error has occurred!" message in their place if the 'tiki_error_reporting_verbose' preference is turned off. I know we wanted to use the existing 'error_reporting_adminonly' pref, but I elected for a new preference for two reasons: 1) 'error_reporting_adminonly' is useless in webroot/tiki-setup_base.php (where the errors are being thrown from) because you can actually check for admins permissions yet. 2) 'error_reporting_adminonly' is really for PHP errors like "Expected T_IF[...]". Adding a new pref makes the distinction between PHP errors and arbitrary (in the sense that they aren't fatal to anything but form processing) tiki errors. If we're really, really against adding a new pref, this can fall under the 'error_reporting_level' pref.
Attachment #356848 -
Flags: review?(nelson)
Assignee | ||
Comment 4•16 years ago
|
||
(In reply to comment #3) > 1) 'error_reporting_adminonly' is useless in webroot/tiki-setup_base.php (where > the errors are being thrown from) because you can actually check for admins > permissions yet. can't actually check* Crazy typos.
Comment 5•16 years ago
|
||
Comment on attachment 356848 [details] [diff] [review] Patch to mute error messages in r21587/r21588
Attachment #356848 -
Flags: review?(nelson) → review+
Updated•16 years ago
|
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Comment 6•16 years ago
|
||
Were some of these fixed already? What I am looking for on pages such as http://support.mozilla.com/tiki-browse_categories.php?locale=en-US&parentId=8&deep=off&type=char%2813%2C10%29X-Res%3A%2520Split ? I don't see a difference between that on prod and its staging URL http://support-stage.mozilla.org/tiki-browse_categories.php?locale=en-US&parentId=8&deep=off&type=char%2813%2C10%29X-Res%3A%2520Split, for instance. (Others I clearly do see fixed, such as the difference between http://support.mozilla.com/tiki-listpages.php?offset=3000&sort_mode=char%28119%29%2Bchar%28104%29%2Bchar%28115%29%2Bchar%28100%29%2Bchar%2898%29%2Bchar%28116%29%2Bchar%28101%29%2Bchar%28115%29%2Bchar%28116%29&maxRecords=10, where it prints out, "Notice: invalid variable value: $_GET["sort_mode"] = char(119)+char(104)+char(115)+char(100)+char(98)+char(116)+char(101)+char(115)+char(116)" on production and merely "An unexpected error has occurred!" on staging. Thanks in advance
Comment 7•16 years ago
|
||
Yes, some of these were fixed earlier in bug 463152 If you get "An unexpected error has occurred!" and nothing else, that is a good result.
Comment 8•16 years ago
|
||
Verified FIXED; checked all the URLs in comment 0 and comment 1 against staging (where on production they were outputting specific error messages), and they're now yielding "An unexpected error has occurred!" Thanks, Nelson.
Status: RESOLVED → VERIFIED
Updated•15 years ago
|
Whiteboard: tiki_bug
Comment 10•15 years ago
|
||
I made it so the database error reporting follow the normal PHP error reporting rules.
Updated•15 years ago
|
Whiteboard: tiki_bug → tiki_bug, tiki_upstreamed
Comment 11•8 years ago
|
||
These bugs are all resolved, so I'm removing the security flag from them.
Group: websites-security
You need to log in
before you can comment on or make changes to this bug.
Description
•