Details
-
Security Issue
-
Status: Open (View Workflow)
-
Major
-
Resolution: Unresolved
-
3.1.9
-
None
-
Server: Debian Jessie x64
Server: Mysql 5.5.49-0+deb8u1
Server: PHP 5.6.23-0+deb8u1
Client: Kubuntu 16.04 x64
Client: Firefox 47.0
Description
While DEBUG mode is not defined and all configuration settings are pushed for production environment, a simple sql error can expose sensitive data to the public (a guest or bots) such as the database user and the database name, similar to this:
SQL ERROR [ mysqli ]
|
Access denied for user 'dev_user1'@'localhost' to database 'dev_phpbb_db' [1044] |
How to reproduce:
Edit /config.php and change the $dbuser to anything other than the correct one. Then delete all files from the /cache directory except the .htaccess file. Refresh the phpBB page while you are not logged in (same happens while logged in). See the error.
My fix:
Edited /includes/functions.php
Function msg_handler(), on line 4029 the following code exists:
echo ' <div>' . $msg_text . '</div>'; |
Enclose this code in an IF statement as follows:
if (defined('DEBUG')) |
{
|
echo ' <div>' . $msg_text . '</div>'; |
}
|
In order to make the error appear more natural to the public but hide any information about it, the above statement can be like this:
if (defined('DEBUG')) |
{
|
echo ' <div>' . $msg_text . '</div>'; |
}
|
else
|
{
|
echo ' <div>An error occurred. Please contact an administrator if this problem persists.</div>'; |
}
|