Full Path disclosure in https://forums.mozilla.org



3 years ago
3 years ago


(Reporter: Muhammad Shahmeer, Assigned: fox2mike)


Windows 8.1
Bug Flags:
sec-bounty -




3 years ago
User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.115 Safari/537.36 OPR/27.0.1689.76

Steps to reproduce:

Hey there
I found out about a full path disclosure through the error message by using an invalid multibyte sequence in the search parameter

Here is how i reproduced it
I entered the following multibyte sequence in the search parameter

I did a raw request using tamper data addon in mozilla

Actual results:

I got the following error message disclosing a sensitive path to the server

[phpBB Debug] PHP Warning: in file [ROOT]/includes/functions.php on line 35: htmlspecialchars(): Invalid multibyte sequence in argument
[phpBB Debug] PHP Warning: in file [ROOT]/includes/functions.php on line 4752: Cannot modify header information - headers already sent by (output started at [ROOT]/includes/functions.php:3887)
[phpBB Debug] PHP Warning: in file [ROOT]/includes/functions.php on line 4754: Cannot modify header information - headers already sent by (output started at [ROOT]/includes/functions.php:3887)
[phpBB Debug] PHP Warning: in file [ROOT]/includes/functions.php on line 4755: Cannot modify header information - headers already sent by (output started at [ROOT]/includes/functions.php:3887)
[phpBB Debug] PHP Warning: in file [ROOT]/includes/functions.php on line 4756: Cannot modify header information - headers already sent by (output started at [ROOT]/includes/functions.php:3887)

Expected results:

The error should have been sanitized and the error should not have disclosed a full path
Please fix this ASAP
Group: core-security → websites-security
Component: Untriaged → other.mozilla.org
Product: Firefox → Websites
Version: Firefox 38 → unspecified
It looks like we need to disable phpBB debug messages: https://www.phpbb.com/community/viewtopic.php?f=46&t=1237615
Comment hidden (off-topic)
fox2mike - could you get someone from your team to disable phpBB debug messages on forums.m.o?
Assignee: nobody → smani
Flags: needinfo?(smani)

Comment 4

3 years ago
This isn't me, double-checking with Jason before I make changes.
Flags: needinfo?(smani) → needinfo?(jthomas)
I haven't worked on forums.mozilla.org in a long while, Webops might be more familiar with how PHP error reporting is configured.

Currently error reporting is set to $level = E_ALL & ~E_NOTICE & ~E_DEPRECATED in  ./includes/startup.php

Debug message only occurs for E_WARNING (./includes/functions.php line 3873), we can probably just set $level = E_ERROR

If we want to disable all error_reporting in phpBB we can set $level = 0
Flags: needinfo?(jthomas)
If it literally states [ROOT], how is this "full path" disclosure?
Ah, I though this was just omitted in comment 0. Looking at the code phpbb_filter_root_path() is called to sanitize the path before the warning is shown.
Ah, I also thought that the actual root had been edited from the messages in comment #0.

Comment 9

3 years ago
It is edited
(In reply to Muhammad Shahmeer from comment #9)
> It is edited

What full path did you get in place of "[ROOT]" ?

What you put in comment 0 and what I see when I try your steps is a relative path, not a "full" path. includes/functions.php is a standard and expected file in PHP and isn't revealing any information (the site itself says it's using phpBB in the footer).

I bet knowing [ROOT] wouldn't reveal all that much information either given our configs are probably checked into svn or github somewhere.
Flags: sec-bounty?
I was not able to reproduce this issue. It would be helpful if we could get a screenshot of your work in the Tamper Data Addon immediately before submitting the request?
Flags: needinfo?(shahmeerbond)

Comment 12

3 years ago
I was able to reproduce this by using Acunetix HTTP editor that performs RAW request and responses
Flags: needinfo?(shahmeerbond)
reproduce _what_ is the question. We can reproduce a literal "[ROOT]" string as you wrote in comment 0. Did you also get the literal string "[ROOT]" or did you get something else, and if you got something else what did you get? Do you have a screenshot as Richard asked in comment 11?

Our own testing and checking the code (comment 7) says you should only have gotten the literal "[ROOT]"
Flags: needinfo?(shahmeerbond)

Comment 14

3 years ago
Yes the literal root string is what I got
Flags: needinfo?(shahmeerbond)
Thanks, that's working as designed then.
Group: websites-security
Last Resolved: 3 years ago
Flags: sec-bounty? → sec-bounty-
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.