Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-14711

General Error can expose sensitive data to the public


    • Type: Security Issue
    • Status: Open (View Workflow)
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 3.1.9
    • Fix Version/s: None
    • Component/s: Other
    • Labels:
    • Environment:
      Server: Debian Jessie x64
      Server: Mysql 5.5.49-0+deb8u1
      Server: PHP 5.6.23-0+deb8u1
      Client: Kubuntu 16.04 x64
      Client: Firefox 47.0


      While DEBUG mode is not defined and all configuration settings are pushed for production environment, a simple sql error can expose sensitive data to the public (a guest or bots) such as the database user and the database name, similar to this:

      SQL ERROR [ mysqli ]
      Access denied for user 'dev_user1'@'localhost' to database 'dev_phpbb_db' [1044]

      How to reproduce:
      Edit /config.php and change the $dbuser to anything other than the correct one. Then delete all files from the /cache directory except the .htaccess file. Refresh the phpBB page while you are not logged in (same happens while logged in). See the error.

      My fix:
      Edited /includes/functions.php
      Function msg_handler(), on line 4029 the following code exists:

      echo '			<div>' . $msg_text . '</div>';

      Enclose this code in an IF statement as follows:

      if (defined('DEBUG'))
      	echo '		<div>' . $msg_text . '</div>';

      In order to make the error appear more natural to the public but hide any information about it, the above statement can be like this:

      if (defined('DEBUG'))
      	echo '		<div>' . $msg_text . '</div>';
      	echo '		<div>An error occurred. Please contact an administrator if this problem persists.</div>';




            • Assignee:
              eorisis eorisis [X] (Inactive)
            • Votes:
              0 Vote for this issue
              2 Start watching this issue


              • Created: