Uploaded image for project: 'phpBB'
  1. phpBB
  2. PHPBB-14711

General Error can expose sensitive data to the public

XMLWordPrintable

    • Icon: Security Issue Security Issue
    • Resolution: Cannot Reproduce
    • Icon: Major Major
    • None
    • 3.1.9
    • Other
    • Server: Debian Jessie x64
      Server: Mysql 5.5.49-0+deb8u1
      Server: PHP 5.6.23-0+deb8u1
      Client: Kubuntu 16.04 x64
      Client: Firefox 47.0

      While DEBUG mode is not defined and all configuration settings are pushed for production environment, a simple sql error can expose sensitive data to the public (a guest or bots) such as the database user and the database name, similar to this:

      SQL ERROR [ mysqli ]
      Access denied for user 'dev_user1'@'localhost' to database 'dev_phpbb_db' [1044]
      

      How to reproduce:
      Edit /config.php and change the $dbuser to anything other than the correct one. Then delete all files from the /cache directory except the .htaccess file. Refresh the phpBB page while you are not logged in (same happens while logged in). See the error.

      My fix:
      Edited /includes/functions.php
      Function msg_handler(), on line 4029 the following code exists:

      echo '			<div>' . $msg_text . '</div>';
      

      Enclose this code in an IF statement as follows:

      if (defined('DEBUG'))
      {
      	echo '		<div>' . $msg_text . '</div>';
      }
      

      In order to make the error appear more natural to the public but hide any information about it, the above statement can be like this:

      if (defined('DEBUG'))
      {
      	echo '		<div>' . $msg_text . '</div>';
      }
      else
      {
      	echo '		<div>An error occurred. Please contact an administrator if this problem persists.</div>';
      }
      

            Marc Marc
            eorisis eorisis [X] (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: