View Issue Details

IDProjectCategoryView StatusLast Update
0023925mantisbtsecuritypublic2019-02-01 11:17
Reporteratrol Assigned Tovboctor  
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Target Version2.11.0Fixed in Version2.11.0 
Summary0023925: Site path leakage in error handler
Description

PHP errors messages are visible for end users in current master.
E.g. before fix of 0023921 users see messages like

APPLICATION ERROR

Argument 1 passed to filter_ensure_valid_filter() must be of the type array, string given, called in /srv/www/bugs/core/current_user_api.php on line 252

The error message was not visible to end users in 2.10.0. You got just a blank screen and the error was logged in web server log.

Most likely it's been introduced by latest changes of error handler, see also ~58719

TagsNo tags attached.

Relationships

related to 0023921 closeddregad CVE-2018-6526: view_all_bug_page Leak path 
related to 0025429 closeddregad Undefined variable t_show_detailed_errors in API REST 

Activities

dregad

dregad

2018-02-03 02:26

developer   ~0058726

Thanks @atrol.

@vboctor this should be fixed prior to releasing 2.11 as it is introducing a vulnerability. Since you introduced the issue when refactoring the error handler, can you please have a look for a proper fix that does not break your changes .?

vboctor

vboctor

2018-02-03 03:00

manager   ~0058727

PR: https://github.com/mantisbt/mantisbt/pull/1280

Related Changesets

MantisBT: master 404a75ec

2018-02-02 21:59

vboctor


Details Diff
Fix regression that discloses file path in some errors

This was introduced as part of refactoring error handler and it happens
with some errors even when show_detailed_errors is set to OFF.

Fixes 0023925
Affected Issues
0023925
mod - api/soap/mc_api.php Diff File
mod - core/error_api.php Diff File

MantisBT: master 15c7af56

2018-02-03 13:53

vboctor


Details Diff
Revert "Fix regression that discloses file path in some errors"

This reverts commit d5d85f17bf934f6a13abcce69fec41171096205e.
Affected Issues
0023925
mod - api/soap/mc_api.php Diff File
mod - core/error_api.php Diff File

MantisBT: master 2aa1c090

2018-02-03 15:22

vboctor


Details Diff
Don’t show php exceptions but log them Affected Issues
0023925
mod - api/rest/index.php Diff File
mod - api/soap/mc_api.php Diff File
mod - core/error_api.php Diff File

MantisBT: master 70324479

2018-02-05 20:14

vboctor


Details Diff
Fix func name typo for getting stack trace as string Affected Issues
0023925
mod - api/rest/index.php Diff File
mod - api/soap/mc_api.php Diff File
mod - core/error_api.php Diff File

MantisBT: master a770ccfb

2018-02-05 20:21

vboctor


Details Diff
Show exceptions in UI when show detailed errors is ON Affected Issues
0023925
mod - core/error_api.php Diff File

MantisBT: master b2119ce0

2018-02-05 20:24

vboctor


Details Diff
Show PHP exception in REST only if detailed errors is ON Affected Issues
0023925, 0025429
mod - api/rest/index.php Diff File