If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.
Bug 463719 (WH-1652031)

Information leakages on tiki-browse_categories.php, tiki-my_tiki.php, and tiki-listpages.php

VERIFIED FIXED in 0.8.1

Status

support.mozilla.org
Knowledge Base Software
--
major
VERIFIED FIXED
9 years ago
2 years ago

People

(Reporter: reed, Assigned: ecooper)

Tracking

unspecified
0.8.1

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: tiki_bug, tiki_upstreamed)

Attachments

(1 attachment)

(Reporter)

Description

9 years ago
http://support.mozilla.com/tiki-browse_categories.php?locale=en-US&find=&deep=off&type=whscheck('\";)&parentId=8&offset=20&sort_mode=name_asc

http://support.mozilla.com/tiki-browse_categories.php?locale=en-US&find=char(39)&deep=off&type=&parentId=8&offset=20&sort_mode=name_asc

http://support.mozilla.com/tiki-my_tiki.php?sort_mode=PHhzc3doPg%3D%3D%0A

http://support.mozilla.com/tiki-my_tiki.php?sort_mode=[]<xsswh>

http://support.mozilla.com/tiki-browse_categories.php?locale=en-US&find=char(41)&deep=off&type=&parentId=8&offset=20&sort_mode=name_asc

http://support.mozilla.com/tiki-browse_categories.php?locale=en-US&find=char(45,45)&deep=off&type=&parentId=8&offset=20&sort_mode=name_asc

http://support.mozilla.com/tiki-browse_categories.php?locale=en-US&find=%3Cxsswh%3E&deep=off&type=&parentId=8&offset=20&sort_mode=name_asc

http://support.mozilla.com/tiki-my_tiki.php?sort_mode=%uff1cxsswh%uff1e

http://support.mozilla.com/tiki-browse_categories.php?locale=en-US&find=PHhzc3doPg==&deep=off&type=&parentId=8&offset=20&sort_mode=name_asc

http://support.mozilla.com/tiki-browse_categories.php?locale=en-US&find=char(59)+char(45)+char(45)&deep=off&type=&parentId=8&offset=20&sort_mode=name_asc
(Reporter)

Comment 1

9 years ago
http://support.mozilla.com/tiki-browse_categories.php?locale=en-US&find=&deep=off&type=<?importwhs?>&parentId=8&offset=20&sort_mode=name_asc

http://support.mozilla.com/tiki-browse_categories.php?locale=en-US&find=&deep=off&type=<whscheck>&parentId=8&offset=20&sort_mode=name_asc

http://support.mozilla.com/tiki-browse_categories.php?locale=en-US&find=char(119)%2Bchar(104)%2Bchar(115)%2Bchar(100)%2Bchar(98)%2Bchar(116)%2Bchar(101)%2Bchar(115)%2Bchar(116)&deep=off&type=&parentId=8&offset=20&sort_mode=name_asc

http://support.mozilla.com/tiki-browse_categories.php?locale=en-US&find=%26%23x3C%3B%26%23x78%3B%26%23x73%3B%26%23x73%3B%26%23x77%3B%26%23x68%3B%26%23x3E%3B%0A&deep=off&type=&parentId=8&offset=20&sort_mode=name_asc

http://support.mozilla.com/tiki-my_tiki.php?sort_mode=%u00ABxsswh%u00BB

http://support.mozilla.com/tiki-my_tiki.php?sort_mode=+ADw-xsswh+AD4-

http://support.mozilla.com/tiki-browse_categories.php?locale=en-US&find=%26%2360%26%23120%26%23115%26%23115%26%23119%26%23104%26%2362%0A&deep=off&type=&parentId=8&offset=20&sort_mode=name_asc

http://support.mozilla.com/tiki-browse_categories.php?locale=en-US&find=char(119%2C104%2C115%2C100%2C98%2C116%2C101%2C115%2C116)&deep=off&type=&parentId=8&offset=20&sort_mode=name_asc

http://support.mozilla.com/tiki-browse_categories.php?locale=en-US&find=&deep=off&type=%00<whscheck>&parentId=8&offset=20&sort_mode=name_asc

http://support.mozilla.com/tiki-browse_categories.php?locale=en-US&find=&deep=off&type=&parentId=8&offset=20&sort_mode=10030613-ASCII(2)

http://support.mozilla.com/tiki-browse_categories.php?locale=en-US&find=&deep=off&type=&parentId=8&offset=20&sort_mode=</whs/%20/STYLE=a:expres/**/sion>

http://support.mozilla.com/tiki-browse_categories.php?locale=en-US&parentId=8&deep=off&type=char(13,10)X-Res:%20Split

http://support.mozilla.com/tiki-browse_categories.php?locale=en-US&parentId=8&deep=off&type='%20STYLE='background-image:%20x(a:whs())

http://support.mozilla.com/tiki-browse_categories.php?locale=en-US&parentId=8&deep=off&type=char(13%2C10)X-Res%3A%2520Split

http://support.mozilla.com/tiki-browse_categories.php?locale=en-US&find=&deep=off&type=&parentId=8&offset=20&sort_mode=char(39)

http://support.mozilla.com/tiki-browse_categories.php?locale=en-US&parentId=8&deep=off&type=whscheck('\";)

http://support.mozilla.com/tiki-browse_categories.php?locale=en-US&find=&deep=off&type=&parentId=8&offset=20&sort_mode=PHhzc3doPg==

http://support.mozilla.com/tiki-browse_categories.php?locale=en-US&find=&deep=off&type=&parentId=8&offset=20&sort_mode=char(119)%2Bchar(104)%2Bchar(115)%2Bchar(100)%2Bchar(98)%2Bchar(116)%2Bchar(101)%2Bchar(115)%2Bchar(116)

http://support.mozilla.com/tiki-browse_categories.php?locale=en-US&find=&deep=off&type=&parentId=8&offset=20&sort_mode=char(119%2C104%2C115%2C100%2C98%2C116%2C101%2C115%2C116)

http://support.mozilla.com/tiki-browse_categories.php?locale=en-US&find=&deep=off&type=&parentId=8&offset=20&sort_mode=%26%23x3C%3B%26%23x78%3B%26%23x73%3B%26%23x73%3B%26%23x77%3B%26%23x68%3B%26%23x3E%3B%0A

http://support.mozilla.com/tiki-listpages.php?offset=3000&sort_mode=char(119)%2Bchar(104)%2Bchar(115)%2Bchar(100)%2Bchar(98)%2Bchar(116)%2Bchar(101)%2Bchar(115)%2Bchar(116)&maxRecords=10
(Reporter)

Updated

9 years ago
Summary: Information leakages on tiki-browse_categories.php and tiki-my_tiki.php → Information leakages on tiki-browse_categories.php, tiki-my_tiki.php, and tiki-listpages.php
(Reporter)

Updated

9 years ago
Group: websites-security
(Reporter)

Updated

9 years ago
Group: websites-security

Updated

9 years ago
Assignee: nobody → laura
Target Milestone: --- → 0.8.1

Comment 2

9 years ago
Nelson, is there a setting where we show no information about errors to non-admins?

Updated

9 years ago
Assignee: laura → smirkingsisyphus
(Assignee)

Comment 3

9 years ago
Created attachment 356848 [details] [diff] [review]
Patch to mute error messages

This patch stops the leaks by placing the generic "An unexpected error has occurred!" message in their place if the 'tiki_error_reporting_verbose' preference is turned off.

I know we wanted to use the existing 'error_reporting_adminonly' pref, but I elected for a new preference for two reasons: 

1) 'error_reporting_adminonly' is useless in webroot/tiki-setup_base.php (where the errors are being thrown from) because you can actually check for admins permissions yet.

2) 'error_reporting_adminonly' is really for PHP errors like "Expected T_IF[...]".

Adding a new pref makes the distinction between PHP errors and arbitrary (in the sense that they aren't fatal to anything but form processing) tiki errors.

If we're really, really against adding a new pref, this can fall under the 'error_reporting_level' pref.
Attachment #356848 - Flags: review?(nelson)
(Assignee)

Comment 4

9 years ago
(In reply to comment #3)
> 1) 'error_reporting_adminonly' is useless in webroot/tiki-setup_base.php (where
> the errors are being thrown from) because you can actually check for admins
> permissions yet.

can't actually check*

Crazy typos.

Comment 5

9 years ago
Comment on attachment 356848 [details] [diff] [review]
Patch to mute error messages

in r21587/r21588
Attachment #356848 - Flags: review?(nelson) → review+

Updated

9 years ago
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → FIXED
Were some of these fixed already?

What I am looking for on pages such as http://support.mozilla.com/tiki-browse_categories.php?locale=en-US&parentId=8&deep=off&type=char%2813%2C10%29X-Res%3A%2520Split ?  I don't see a difference between that on prod and its staging URL http://support-stage.mozilla.org/tiki-browse_categories.php?locale=en-US&parentId=8&deep=off&type=char%2813%2C10%29X-Res%3A%2520Split, for instance.

(Others I clearly do see fixed, such as the difference between http://support.mozilla.com/tiki-listpages.php?offset=3000&sort_mode=char%28119%29%2Bchar%28104%29%2Bchar%28115%29%2Bchar%28100%29%2Bchar%2898%29%2Bchar%28116%29%2Bchar%28101%29%2Bchar%28115%29%2Bchar%28116%29&maxRecords=10, where it prints out, "Notice: invalid variable value: $_GET["sort_mode"] = char(119)+char(104)+char(115)+char(100)+char(98)+char(116)+char(101)+char(115)+char(116)" on production and merely "An unexpected error has occurred!" on staging.

Thanks in advance

Comment 7

9 years ago
Yes, some of these were fixed earlier in bug 463152 

If you get "An unexpected error has occurred!" and nothing else, that is a good result.
Verified FIXED; checked all the URLs in comment 0 and comment 1 against staging (where on production they were outputting specific error messages), and they're now yielding "An unexpected error has occurred!"

Thanks, Nelson.
Status: RESOLVED → VERIFIED

Updated

9 years ago
Duplicate of this bug: 469095
Whiteboard: tiki_bug
I made it so the database error reporting follow the normal PHP error reporting rules.
Whiteboard: tiki_bug → tiki_bug, tiki_upstreamed
These bugs are all resolved, so I'm removing the security flag from them.
Group: websites-security
You need to log in before you can comment on or make changes to this bug.