-
Notifications
You must be signed in to change notification settings - Fork 790
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security] DB User & Password shown in clear text in error message #760
Comments
I confirm that!
That's happen when DB server is not reachable. Unfortunately PDO throw so many info which is good for development but not for production. To make it more secure, DB connection should be in Then of course set display error to none in config for production. |
Good point guys! Thanks for the bug report! 👍 |
This is now fixed in dev + master branch! Thanks to @slaveek for fixing this! |
Hi!
I found my MySQL-installation broken, which is a fixable problem of course.
However, when visiting my site, I saw the following message:
Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[HY000] [2003] Can't connect to MySQL server on '127.0.0.1' (111)' in /var/www/html/SiteName/application/core/DatabaseFactory.php:42 Stack trace: #0 /var/www/html/SiteName/application/core/DatabaseFactory.php(42): PDO->__construct('mysql:host=127....', 'root', '<<<CLEARTEXTPASSWORD_SHOWN_HERE>>>', Array) #1 /var/www/html/SiteName/application/model/UserModel.php(307): DatabaseFactory->getConnection() #2 /var/www/html/SiteName/application/model/LoginModel.php(92): UserModel::getUserDataByUsername('CLEARTEXT_USERNAME_SHOWN_HERE') #3 /var/www/html/SiteName/application/model/LoginModel.php(28): LoginModel::validateAndGetUser('CLEARTEXT_USERNAME_SHOWN_HERE', '<<<CLEARTEXTPASSWORD_SHOWN_HERE>>>') #4 /var/www/html/SiteName/application/controller/LoginController.php(38): LoginModel::login('CLEARTEXT_USERNAME_SHOWN_HERE', '<<<CLEARTEXTPASSWORD_SHOWN_HERE>>>', 'on') #5 /var/www/html/SiteName/application/core/Application.php(46): LoginController->login() #6 /var/www/html/SiteName/public/index.php(17): Application->__construct() #7 {main} thrown in /var/www/html/SiteName/application/core/DatabaseFactory.php on line 42
I cannot reproduce the situation, and that leaves me worried of course.
I this something I should fix on my side only (change settings on displaying error messages to NONE and so forth) or is this also something you might not be happy with in your (fantastic!) framework?
To be clear, this is not a support question; rather it is a security question for the project: is this behaviour acceptable for your philosophy?
Best wishes,
Jerom
The text was updated successfully, but these errors were encountered: