Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Information disclosure on error messages #78

Closed
Nicals opened this issue Dec 15, 2014 · 6 comments
Closed

Information disclosure on error messages #78

Nicals opened this issue Dec 15, 2014 · 6 comments
Labels
enhancement security

Comments

@Nicals
Copy link

Nicals commented Dec 15, 2014

Continuation of discussion started on unmaintained repository.

As said in the issue above: Shaarli have a problem with its error logging process. It discloses too much information:

The correct way to report errors on a website is not to use die, it is to return a HTTP 500 response with a generic error message. You can display a generic message and add a line in a log file. The message could suggest the user to check its log for more information.
@Nicals Nicals mentioned this issue Dec 15, 2014
Open
@nodiscc
Copy link
Member

nodiscc commented Dec 15, 2014

@Nicals thanks for the bug report.

  • Yes we could remove ('.realpath(dirname(__FILE__)).') line92 so as not to disclose the path.
  • PHP version leak: we can use the suggested wording in Please, don't tell the world which PHP version I'm running sebsauvage/Shaarli#214: Your PHP version is obsolete! Shaarli requires at least php 5.1.0, and thus cannot run. Sorry. Your PHP version has known security vulnerabilities and should be updated as soon as possible.
  • obsolete version disclosure: this is only visible to the logged in user, and should stay visible to the user/admin no notify them of available updates, see Make update check optional #34

What do you think?

@nodiscc
Copy link
Member

nodiscc commented Dec 16, 2014

By the way the Shaarli version number can also be probed by accessing shaarli-version.txt

@dper
Copy link

dper commented Dec 16, 2014

Is PHP version leaking a serious issue? As we know, most automated attacks (on whatever server software) try many different vulnerabilities from many different versions.

@pVesian
Copy link

pVesian commented Dec 16, 2014

You'd also have to control the headers that are sent by the server. Example for http://sebsauvage.net/links/:
Server:Apache/2.2.20 (Unix) mod_ssl/2.2.20 OpenSSL/0.9.8o
X-Powered-By:PHP/5.3.8-pl0-gentoo

@nodiscc
Copy link
Member

nodiscc commented Dec 16, 2014

These headers should be hidden from your webserver configuration (as well as setting ServerTokens to Prod and a few other things). The PHP version leaking is not a serious problem, but it is good practice not to disclose it. The full path disclosure is not nice. This only happens in very special circumstances, but should be fixed anyway.

@nodiscc
Copy link
Member

nodiscc commented Dec 16, 2014

Fixed in #81

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@Nicals @dper @pVesian @nodiscc