Web Apps


uiWebPrevious1uiWebNext

#1

I keep reading notices and warnings in the official apps, for a productive system these messages should be logged and not displayed in public. In the worst case they give additional information away, information a potential attacker may use to compromise the system.

Example: (zensored)
Notice: Undefined offset: -2 in /****/app_index/CalendarRender.php on line 150

#2

Here is another one in the forum app opened in the web browser:

Notice: Undefined index: lang in /****/common/auth.php on line 31

Even worse, register globals is activated!

The following sample url removes the warning and proves this configuration flaw:

http://app.ryzom.com/app_forum/index.php?page=forum/view/4&la ng=blabla

Please take a moment and read up why register globals is bad here http://phpsec.org/projects/guide/1.html

Last edited by Arty (1 decade ago)

#3

The WebIG is accessed so frequently that an error log is hard to read. I don't think the WebIG is meant to be secure, it's rather meant to be easily maintainable. Most/many php source files are public anyway (and if you check them there are more serious issues to complain about than a visible error log).

If you actually find a security issue that is exploitable, file a ticket. Those must not be posted in a public forum.

---

Casy * Foreign Secretary * Alliance of Honor
Intensive Care Bear

#4

I agree.
uiWebPrevious1uiWebNext
 
Last visit Friday, 22 November 08:45:35 UTC
P_:G_:PLAYER

powered by ryzom-api