View Issue Details

IDProjectCategoryView StatusLast Update
0023925mantisbtsecuritypublic2019-02-01 11:17
Reporteratrol Assigned Tovboctor  
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Target Version2.11.0Fixed in Version2.11.0 
Summary0023925: Site path leakage in error handler
Description

PHP errors messages are visible for end users in current master.
E.g. before fix of 0023921 users see messages like

APPLICATION ERROR

Argument 1 passed to filter_ensure_valid_filter() must be of the type array, string given, called in /srv/www/bugs/core/current_user_api.php on line 252

The error message was not visible to end users in 2.10.0. You got just a blank screen and the error was logged in web server log.

Most likely it's been introduced by latest changes of error handler, see also ~58719

TagsNo tags attached.

Relationships

related to 0023921 closeddregad CVE-2018-6526: view_all_bug_page Leak path 
related to 0025429 closeddregad Undefined variable t_show_detailed_errors in API REST 

Activities

dregad

dregad

2018-02-03 02:26

developer   ~0058726

Thanks @atrol.

@vboctor this should be fixed prior to releasing 2.11 as it is introducing a vulnerability. Since you introduced the issue when refactoring the error handler, can you please have a look for a proper fix that does not break your changes .?

vboctor

vboctor

2018-02-03 03:00

manager   ~0058727

PR: https://github.com/mantisbt/mantisbt/pull/1280

Related Changesets

MantisBT: master 404a75ec

2018-02-03 02:59:09

vboctor

Details Diff
Fix regression that discloses file path in some errors

This was introduced as part of refactoring error handler and it happens
with some errors even when show_detailed_errors is set to OFF.

Fixes 0023925
Affected Issues
0023925
mod - api/soap/mc_api.php Diff File
mod - core/error_api.php Diff File

MantisBT: master 15c7af56

2018-02-03 18:53:37

vboctor

Details Diff
Revert "Fix regression that discloses file path in some errors"

This reverts commit d5d85f17bf934f6a13abcce69fec41171096205e.
Affected Issues
0023925
mod - api/soap/mc_api.php Diff File
mod - core/error_api.php Diff File

MantisBT: master 2aa1c090

2018-02-03 20:22:59

vboctor

Details Diff
Don’t show php exceptions but log them Affected Issues
0023925
mod - api/rest/index.php Diff File
mod - api/soap/mc_api.php Diff File
mod - core/error_api.php Diff File

MantisBT: master 70324479

2018-02-06 01:14:35

vboctor

Details Diff
Fix func name typo for getting stack trace as string Affected Issues
0023925
mod - api/rest/index.php Diff File
mod - api/soap/mc_api.php Diff File
mod - core/error_api.php Diff File

MantisBT: master a770ccfb

2018-02-06 01:21:06

vboctor

Details Diff
Show exceptions in UI when show detailed errors is ON Affected Issues
0023925
mod - core/error_api.php Diff File

MantisBT: master b2119ce0

2018-02-06 01:24:15

vboctor

Details Diff
Show PHP exception in REST only if detailed errors is ON Affected Issues
0023925, 0025429
mod - api/rest/index.php Diff File

Issue History

Date Modified Username Field Change
2018-02-02 15:16 atrol New Issue
2018-02-02 15:16 atrol Relationship added related to 0023921
2018-02-03 02:26 dregad Note Added: 0058726
2018-02-03 02:27 dregad Status new => confirmed
2018-02-03 03:00 vboctor Assigned To => vboctor
2018-02-03 03:00 vboctor Status confirmed => assigned
2018-02-03 03:00 vboctor Note Added: 0058727
2018-02-06 11:30 vboctor Changeset attached => MantisBT master 404a75ec
2018-02-06 11:30 vboctor Status assigned => resolved
2018-02-06 11:30 vboctor Resolution open => fixed
2018-02-06 11:30 vboctor Fixed in Version => 2.11.0
2018-02-06 21:17 vboctor Status resolved => closed
2018-09-04 02:35 atrol View Status private => public
2019-02-01 11:12 dregad Relationship added related to 0025429
2019-02-01 11:14 dregad Changeset attached => MantisBT master b2119ce0
2019-02-01 11:17 dregad Changeset attached => MantisBT master a770ccfb
2019-02-01 11:17 dregad Changeset attached => MantisBT master 70324479
2019-02-01 11:17 dregad Changeset attached => MantisBT master 2aa1c090
2019-02-01 11:17 dregad Changeset attached => MantisBT master 15c7af56