View Issue Details

IDProjectCategoryView StatusLast Update
0023925mantisbtsecuritypublic2018-09-04 02:35
ReporteratrolAssigned Tovboctor 
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version 
Target Version2.11.0Fixed in Version2.11.0 
Summary0023925: Site path leakage in error handler
Description

PHP errors messages are visible for end users in current master.
E.g. before fix of 0023921 users see messages like

APPLICATION ERROR

Argument 1 passed to filter_ensure_valid_filter() must be of the type array, string given, called in /srv/www/bugs/core/current_user_api.php on line 252

The error message was not visible to end users in 2.10.0. You got just a blank screen and the error was logged in web server log.

Most likely it's been introduced by latest changes of error handler, see also ~58719

TagsNo tags attached.

Relationships

related to 0023921 closeddregad CVE-2018-6526: view_all_bug_page Leak path 

Activities

dregad

dregad

2018-02-03 02:26

developer   ~0058726

Thanks @atrol.

@vboctor this should be fixed prior to releasing 2.11 as it is introducing a vulnerability. Since you introduced the issue when refactoring the error handler, can you please have a look for a proper fix that does not break your changes .?

vboctor

vboctor

2018-02-03 03:00

manager   ~0058727

PR: https://github.com/mantisbt/mantisbt/pull/1280

Related Changesets

MantisBT: master 404a75ec

2018-02-03 02:59:09

vboctor

Details Diff
Fix regression that discloses file path in some errors

This was introduced as part of refactoring error handler and it happens
with some errors even when show_detailed_errors is set to OFF.

Fixes 0023925
Affected Issues
0023925
mod - api/soap/mc_api.php Diff File
mod - core/error_api.php Diff File

Issue History

Date Modified Username Field Change
2018-02-02 15:16 atrol New Issue
2018-02-02 15:16 atrol Relationship added related to 0023921
2018-02-03 02:26 dregad Note Added: 0058726
2018-02-03 02:27 dregad Status new => confirmed
2018-02-03 03:00 vboctor Assigned To => vboctor
2018-02-03 03:00 vboctor Status confirmed => assigned
2018-02-03 03:00 vboctor Note Added: 0058727
2018-02-06 11:30 vboctor Changeset attached => MantisBT master 404a75ec
2018-02-06 11:30 vboctor Status assigned => resolved
2018-02-06 11:30 vboctor Resolution open => fixed
2018-02-06 11:30 vboctor Fixed in Version => 2.11.0
2018-02-06 21:17 vboctor Status resolved => closed
2018-09-04 02:35 atrol View Status private => public