[fix] FUD Full Path Disclosure

[Knah-Tsaeb]

@TeamAlexandriZ report Full Path Disclosure sebsauvage#222

[ArthurHoaro]

This doesn't work because the setting needs to be set before session initialisation.

[Knah-Tsaeb]

D'oh ! Of course, my bad. I would like go too fast.
How to cancel a pull request ?

[TeamAlexandriZ]

Hi,
I've see the fix +ini_set('display_errors', false);
It's a way... but i'm not sure it's the best way.
This is a full path disclosure by null session cookie, this is not a configuration problem but coding problem, hide the problem does not correct him. See this blog post of this well know pentester and dev of famous wpscan.
http://blog.dewhurstsecurity.com/2011/10/05/full-path-disclosure-fpd.html
The user cookie input shaarli must be sanitized as all user input to not cause error.
But it's just my opinion.

[nodiscc]

Hi everyone, @TeamAlexandriZ thank you very much for reporting this, nice find!
@Knah-Tsaeb thanks for the patch.

About fixing this

• errors should never be displayed in production or on an internet-facing server, unless the admin has a very good reason. In this case, the vulnerable servers are improperly configured.
  • We should clearly recommend "secure" configuration settings in https://github.com/shaarli/Shaarli/wiki/Server-configuration and maybe in https://github.com/shaarli/Shaarli#installing
  • Shaarli should enforce secure settings by default, as proposed in @Knah-Tsaeb's patch. @ArthurHoaro how do we set this before the session is initialized?
  • FInally, all forgeable input values (cookies, some http headers) should be sanitized/and/or/discarded before use (should we open another issue for this?)

[virtualtam]

Hello!

Quick question (no Apache to run tests right now): does it disable all logging errors (i.e., will it hide errors on a debug server)?

In Apache, most settings can be configured through both virtualhost definition and custom .htaccess files, e.g.:

<VirtualHost *:80>
    ServerName   shaarli.my-domain.org
    DocumentRoot /absolute/path/to/shaarli/

    LogLevel  warn
    ErrorLog  /var/log/apache2/shaarli-error.log
    CustomLog /var/log/apache2/shaarli-access.log combined

    # do not display PHP errors
    php_flag display_startup_errors off
    php_flag display_errors off
    php_flag html_errors off

    # log PHP errors to a file
    php_flag  log_errors on
    php_value error_log  /var/log/apache2/shaarli-php-error.log
</VirtualHost>

Could someone check if this works, and update the Server configuration page accordingly?

[ArthurHoaro]

Hi I don't have much time tonight but:

• I'll submit a PR soon which prevent the error (so no FPD issue).

@ArthurHoaro how do we set this before the session is initialized?

• just declare it before the session initialization.
• @virtualtam php.ini, vhost config, .htaccess, and PHP code.

For example, on my server, in php.ini, I have display_errors = Off. But for my workspace virtual apache host, I added:

php_value error_reporting 2147483647 # constant for E_ALL
php_value display_errors 1

Should display_errors be forced for Shaarli... I don't know.

[virtualtam]

A quick word about configuration priority :)

• php.ini is overridden by application settings
  • I don't know if PHP flags passed in a VirtualHost definition override app setting, though
• .htaccess are overriden by VirtualHosts, which in turn are overriden by the main Apache config

The virtual host definition can be used for convenience, to group all settings (native Apache entries, flags passed to PHP) in the same place. The real advantage here is that it is independent from the applications' sources, thus safe from upstream changes made to PHP flags or htaccess restrictions.

php_value error_reporting 2147483647 # constant for E_ALL

Stumbled on this SO thread as well, it looks both hackish (the value for E_ALL changes depending on the PHP version) and deprecated (see PHP Error function constants).

php_value display_errors 1

Shouldn't it be php_value display_errors on ?

If needed, I'll be back to a proper development environment next week to run more extensive tests :)

[virtualtam]

@Knah-Tsaeb @TeamAlexandriZ should we close this PR as a duplicate of #306?

[nicolasdanelon]

I use Apache do you want me to test this?

On Thu, 13 Aug 2015 14:33 VirtualTam [email protected] wrote:

@Knah-Tsaeb https://github.com/Knah-Tsaeb @TeamAlexandriZ
https://github.com/TeamAlexandriZ should we close this PR as a
duplicate of #306 #306?

—
Reply to this email directly or view it on GitHub
#298 (comment).

[virtualtam]

@nicolasdanelon If you have some time to toy with Apache and PHP configuration, that'd be awesome!

In the near future, there'll be development-ready Docker templates / images under docker-shaarli to experiment with config with no fear of breaking everything ;-)

[nicolasdanelon]

Using you configuration posted on 29 / 06 / 2015 with user shaarli and passwod shaarli

Name	shaarli
Value	bno9e4tbqqsd8odrlaonhj1et0
Host	.shaarli.nicolasmd.com.ar
Path	/
Expires	Sat, 13 Aug 2016 16:52:29 GMT
Secure	No
HttpOnly	No

[ArthurHoaro]

Alright, I'm not sure what we're talking about. I was just giving an example.

The question here is: should we force Shaarli to not display PHP errors?

IMHO, no. It should rely on server configuration. Anyway, if we do, this PR needs to be rebased.

[nodiscc]

should we force Shaarli to not display PHP errors?

IMHO, Yes by default unless a particular option is set in config.php.

[virtualtam]

Closing this issue, as #306 adds the proper session cookie checks