Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security] DB User & Password shown in clear text in error message #760

Closed
JFJanssen opened this issue Dec 12, 2015 · 3 comments
Closed

[Security] DB User & Password shown in clear text in error message #760

JFJanssen opened this issue Dec 12, 2015 · 3 comments

Comments

@JFJanssen
Copy link

Hi!

I found my MySQL-installation broken, which is a fixable problem of course.
However, when visiting my site, I saw the following message:

Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[HY000] [2003] Can't connect to MySQL server on '127.0.0.1' (111)' in /var/www/html/SiteName/application/core/DatabaseFactory.php:42 Stack trace: #0 /var/www/html/SiteName/application/core/DatabaseFactory.php(42): PDO->__construct('mysql:host=127....', 'root', '<<<CLEARTEXTPASSWORD_SHOWN_HERE>>>', Array) #1 /var/www/html/SiteName/application/model/UserModel.php(307): DatabaseFactory->getConnection() #2 /var/www/html/SiteName/application/model/LoginModel.php(92): UserModel::getUserDataByUsername('CLEARTEXT_USERNAME_SHOWN_HERE') #3 /var/www/html/SiteName/application/model/LoginModel.php(28): LoginModel::validateAndGetUser('CLEARTEXT_USERNAME_SHOWN_HERE', '<<<CLEARTEXTPASSWORD_SHOWN_HERE>>>') #4 /var/www/html/SiteName/application/controller/LoginController.php(38): LoginModel::login('CLEARTEXT_USERNAME_SHOWN_HERE', '<<<CLEARTEXTPASSWORD_SHOWN_HERE>>>', 'on') #5 /var/www/html/SiteName/application/core/Application.php(46): LoginController->login() #6 /var/www/html/SiteName/public/index.php(17): Application->__construct() #7 {main} thrown in /var/www/html/SiteName/application/core/DatabaseFactory.php on line 42

I cannot reproduce the situation, and that leaves me worried of course.
I this something I should fix on my side only (change settings on displaying error messages to NONE and so forth) or is this also something you might not be happy with in your (fantastic!) framework?

To be clear, this is not a support question; rather it is a security question for the project: is this behaviour acceptable for your philosophy?

Best wishes,

Jerom
@panique panique changed the title Security Issue :: DB User & Password shown in clear text in error message [Security] DB User & Password shown in clear text in error message Dec 12, 2015
@slaveek
Copy link
Contributor

slaveek commented Dec 12, 2015

I confirm that!
How to reproduce that issue:

  1. Go to login page
  2. Turn off your mysql server
  3. Go to login page again and type user name and password
  4. Click login

That's happen when DB server is not reachable.
EDIT:
or to many connection to DB server

Unfortunately PDO throw so many info which is good for development but not for production.

To make it more secure, DB connection should be in try catch block and throw custom error message. (it was in previous version as I remember)

Then of course set display error to none in config for production.

@panique
Copy link
Owner

panique commented Dec 12, 2015

Good point guys! Thanks for the bug report!
Can somebody please commit a fix (I'm out of time currently)?

👍

@slaveek slaveek mentioned this issue Dec 19, 2015
Merged
@panique
Copy link
Owner

panique commented Dec 19, 2015

This is now fixed in dev + master branch! Thanks to @slaveek for fixing this!

@panique panique closed this as completed Dec 19, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@panique @slaveek @JFJanssen