Software Security/Group 3/Verdict/V8.1 moreInfo

Uit Werkplaats
Ga naar: navigatie, zoeken

phpBB implements (limited) error handling in the following manner. A message_die function is created, which accepts the following parameters:

  • msg_code: A parameter which defines security level/severity
  • msg_text: The error message
  • msg_title: (optional) If not specified, is set automatically depending on msg_code
  • err_line: (optional) See err_file
  • err_file: (optional) These two parameters add the file and linenumber of the error to the debug output. This only works if the DEBUG flag is set and both parameters are specified.
  • sql: If the DEBUG flag is set, the sql error is obtained from the sql_error() function.

This function ensures that detailed information is only provided when the DEBUG flag is set. This means that normally a user would only see the specified err_text which should contain no sensitive information. For example, the following code is executed when a topic is request that is not found:

message_die(GENERAL_MESSAGE, 'Topic_post_not_exist');

This states that this is a general error message. Then a language dependant message is shown to the user which should say that a topic or post does not exist. For english this might look like this:

./language/lang_english/lang_main.php:$lang['Topic_post_not_exist'] = "The topic or post you requested does not exist";

This gives an appropiate error message without leaking too much information. When this function is called, in the end a call to die() is done preventing further leaking of information.


Our manual inspection revealed that for most common errors this function is used. Some phpBB files however don't use the default error handling function and leak information. For example phpbb/db/oracle.php generates:

Fatal error: Cannot redeclare sql_db::sql_nextid() in /opt/lampp/htdocs/phpbb/db/oracle.php on line 405.


Also, some manual penetration testing revealed that some errors can leak information, such as usernames for example. Example debug output: (where xxxxxxxxxxxxxxxxxxxxxxxxx is a username we created to test)


Couldn't find template file: ./language/lang_xxxxxxxxxxxxxxxxxxxxxxxxx/email/topic_notify.tpl

DEBUG MODE

Line : 99
File : /opt/lampp/htdocs/phpbb/includes/emailer.php 

Gives away username.png

Another point is that with this method of error handling, as explained on the previous page, tools like nikto can determine the version in use which is something one should keep private. All in all this requirement could be passed if a little more care is taken, but at the current status the error handling leaks enough to judge this requirement as failed.