maketank/Froxlor
2
0
Fork 0
Code Pull Requests Releases Activity

[SECURITY] Information disclosure on database failures

Browse Source 
In case the database is not responding, e.g. due to "too many connections"
cut-off database credentials might be shown and system path be revealed.
In terms of security this is considered as information disclosure.
This commit is contained in:
Oliver Hader
2016-06-04 20:18:19 +02:00
parent 85f707af8a
commit 2e7133d619
2 changed files with 67 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
install/lib/class.FroxlorInstall.php
View File

@@ -296,7 +296,7 @@ class FroxlorInstall
$content .= $this->_status_message('begin', $this->_lng['install']['creating_configfile']); $content .= $this->_status_message('begin', $this->_lng['install']['creating_configfile']);
$userdata = "<?php\n"; $userdata = "<?php\n";
$userdata .= "//automatically generated userdata.inc.php for Froxlor\n"; $userdata .= "// automatically generated userdata.inc.php for Froxlor\n";
$userdata .= "\$sql['host']='" . addcslashes($this->_data['mysql_host'], "'\\") . "';\n"; $userdata .= "\$sql['host']='" . addcslashes($this->_data['mysql_host'], "'\\") . "';\n";
$userdata .= "\$sql['user']='" . addcslashes($this->_data['mysql_unpriv_user'], "'\\") . "';\n"; $userdata .= "\$sql['user']='" . addcslashes($this->_data['mysql_unpriv_user'], "'\\") . "';\n";
$userdata .= "\$sql['password']='" . addcslashes($this->_data['mysql_unpriv_pass'], "'\\") . "';\n"; $userdata .= "\$sql['password']='" . addcslashes($this->_data['mysql_unpriv_pass'], "'\\") . "';\n";
@@ -305,6 +305,8 @@ class FroxlorInstall
$userdata .= "\$sql_root[0]['host']='" . addcslashes($this->_data['mysql_host'], "'\\") . "';\n"; $userdata .= "\$sql_root[0]['host']='" . addcslashes($this->_data['mysql_host'], "'\\") . "';\n";
$userdata .= "\$sql_root[0]['user']='" . addcslashes($this->_data['mysql_root_user'], "'\\") . "';\n"; $userdata .= "\$sql_root[0]['user']='" . addcslashes($this->_data['mysql_root_user'], "'\\") . "';\n";
$userdata .= "\$sql_root[0]['password']='" . addcslashes($this->_data['mysql_root_pass'], "'\\") . "';\n"; $userdata .= "\$sql_root[0]['password']='" . addcslashes($this->_data['mysql_root_pass'], "'\\") . "';\n";
$userdata .= "// enable debugging to browser in case of SQL errors\n";
$userdata .= "\$sql['debug'] = false;\n";
$userdata .= "?>"; $userdata .= "?>";
// test if we can store the userdata.inc.php in ../lib // test if we can store the userdata.inc.php in ../lib

68
lib/classes/database/class.Database.php
View File

@@ -323,15 +323,18 @@ class Database {
$sql_root = array(0 => array('caption' => 'Default', 'host' => $sql['host'], 'socket' => (isset($sql['socket']) ? $sql['socket'] : null), 'user' => $sql['root_user'], 'password' => $sql['root_password'])); $sql_root = array(0 => array('caption' => 'Default', 'host' => $sql['host'], 'socket' => (isset($sql['socket']) ? $sql['socket'] : null), 'user' => $sql['root_user'], 'password' => $sql['root_password']));
} }
$substitutions = array(
$sql['password'] => 'DB_UNPRIV_PWD',
$sql_root[0]['password'] => 'DB_ROOT_PWD',
);
// hide username/password in messages // hide username/password in messages
$error_message = $error->getMessage(); $error_message = $error->getMessage();
$error_trace = $error->getTraceAsString(); $error_trace = $error->getTraceAsString();
// error-message // error-message
$error_message = str_replace($sql['password'], 'DB_UNPRIV_PWD', $error_message); $error_message = self::_substitute($error_message, $substitutions);
$error_message = str_replace($sql_root[0]['password'], 'DB_ROOT_PWD', $error_message);
// error-trace // error-trace
$error_trace = str_replace($sql['password'], 'DB_UNPRIV_PWD', $error_trace); $error_trace = self::_substitute($error_trace, $substitutions);
$error_trace = str_replace($sql_root[0]['password'], 'DB_ROOT_PWD', $error_trace);
if ($error->getCode() == 2003) { if ($error->getCode() == 2003) {
$error_message = "Unable to connect to database. Either the mysql-server is not running or your user/password is wrong."; $error_message = "Unable to connect to database. Either the mysql-server is not running or your user/password is wrong.";
@@ -365,6 +368,9 @@ class Database {
@fclose($errlog); @fclose($errlog);
if ($showerror) { if ($showerror) {
if (empty($sql['debug'])) {
$error_trace = '';
}
// fallback // fallback
$theme = 'Sparkle'; $theme = 'Sparkle';
@@ -402,4 +408,58 @@ class Database {
die("We are sorry, but a MySQL - error occurred. The administrator may find more information in the syslog"); die("We are sorry, but a MySQL - error occurred. The administrator may find more information in the syslog");
} }
} }
/**
* Substitutes patterns in content.
*
* @param string $content
* @param array $substitutions
* @param int $minLength
* @return string
*/
private static function _substitute($content, array $substitutions, $minLength = 6) {
$replacements = array();
foreach ($substitutions as $search => $replace) {
$replacements = $replacements + self::_createShiftedSubstitutions($search, $replace, $minLength);
}
$content = str_replace(
array_keys($replacements),
array_values($replacements),
$content
);
return $content;
}
/**
* Creates substitutions, shifted by length, e.g.
*
* _createShiftedSubstitutions('abcdefgh', 'value', 4):
* array(
* 'abcdefgh' => 'value',
* 'abcdefg' => 'value',
* 'abcdef' => 'value',
* 'abcde' => 'value',
* 'abcd' => 'value',
* )
*
* @param string $search
* @param string $replace
* @param int $minLength
* @return array
*/
private static function _createShiftedSubstitutions($search, $replace, $minLength) {
$substitutions = array();
$length = strlen($search);
if ($length > $minLength) {
for ($shiftedLength = $length; $shiftedLength >= $minLength; $shiftedLength--) {
$substitutions[substr($search, 0, $shiftedLength)] = $replace;
}
}
return $substitutions;
}
} }