Uploaded image for project: 'Observium'
  1. Observium
  2. OBS-2052

can't disable debug by web.

Details

    • Bug
    • Resolution: Fixed
    • Minor
    • None
    • Professional Edition
    • Security
    • None
    • Centos 7 and apache 2.4 with php 5.4.16 with all security patches from centos repos.

    Description

      Hello, I see small security bug, when I make request to observium server like: https://servername/&debug, I can see debug information from server.

      As I see, the issue on definitions.inc.php
      in section debug.

      // Set DEBUG
      if (isset($options['d']))
      {
      // CLI
      echo("DEBUG!\n");
      define('OBS_DEBUG', count($options['d'])); // -d == 1, -dd == 2..
      ini_set('display_errors', 1);
      ini_set('display_startup_errors', 1);
      ini_set('log_errors', 1);
      if (OBS_DEBUG > 1)

      { //ini_set('error_reporting', E_ALL ^ E_NOTICE); // FIXME, too many warnings ;) ini_set('error_reporting', E_ALL ^ E_NOTICE ^ E_WARNING); }

      else

      { ini_set('error_reporting', E_ERROR | E_PARSE | E_CORE_ERROR | E_COMPILE_ERROR); // Only various errors }

      }
      else if ((isset($_SERVER['PATH_INFO']) && strpos($_SERVER['PATH_INFO'], 'debug')) ||
      (isset($_SERVER['REQUEST_URI']) && strpos($_SERVER['REQUEST_URI'], 'debug')) ||
      (isset($_REQUEST['debug']) && $_REQUEST['debug']))
      {
      // WEB

      // Note, for security reasons set OBS_DEBUG constant in WUI moved to auth module
      if (isset($config['web_debug_unprivileged']) && $config['web_debug_unprivileged'])

      { define('OBS_DEBUG', 1); }

      else

      { define('OBS_DEBUG_WUI', 1); // Temporary constant, for check in auth module }

      ini_set('display_errors', 1);
      ini_set('display_startup_errors', 1);
      ini_set('log_errors', 1);
      ini_set('error_reporting', E_ALL ^ E_NOTICE);
      //$vars['debug'] = 'yes';
      } else

      { define('OBS_DEBUG', 0); ini_set('display_errors', 0); ini_set('display_startup_errors', 0); ini_set('log_errors', 1); //ini_set('error_reporting', 0); // Default }

      Attachments

        Activity

          [OBS-2052] can't disable debug by web.
          landy Mike Stupalov added a comment -

          done in r8138.

          this is complete not security issue.

          landy Mike Stupalov added a comment - done in r8138. this is complete not security issue.
          kernel24 Vitaly Znachenok added a comment -

          Mike,

          I update to last version use svn update:
          Updated to revision 8137. (http://svn.observium.org/svn/observium/trunk)

          Get url via curl "https://observiumserver/&debug"

          For example I can see debug info like:
          <b>Warning</b>: mysqli_real_connect(): Headers and client library minor version mismatch. Headers:50547 Library:100021 in <b>/opt/observium/includes/db/mysqli.inc.php</b> on line <b>114</b><br />

          Because work the section:
          else if ((isset($_SERVER['PATH_INFO']) && strpos($_SERVER['PATH_INFO'], 'debug')) ||
          (isset($_SERVER['REQUEST_URI']) && strpos($_SERVER['REQUEST_URI'], 'debug')) ||
          (isset($_REQUEST['debug']) && $_REQUEST['debug']))

          ini_set('display_errors', 1);
          ini_set('display_startup_errors', 1);
          ini_set('log_errors', 1);
          ini_set('error_reporting', E_ALL ^ E_NOTICE);

          As fast solution I comment
          //ini_set('error_reporting', E_ALL ^ E_NOTICE);

          kernel24 Vitaly Znachenok added a comment - Mike, I update to last version use svn update: Updated to revision 8137. ( http://svn.observium.org/svn/observium/trunk ) Get url via curl "https://observiumserver/&debug" For example I can see debug info like: <b>Warning</b>: mysqli_real_connect(): Headers and client library minor version mismatch. Headers:50547 Library:100021 in <b>/opt/observium/includes/db/mysqli.inc.php</b> on line <b>114</b><br /> Because work the section: else if ((isset($_SERVER ['PATH_INFO'] ) && strpos($_SERVER ['PATH_INFO'] , 'debug')) || (isset($_SERVER ['REQUEST_URI'] ) && strpos($_SERVER ['REQUEST_URI'] , 'debug')) || (isset($_REQUEST ['debug'] ) && $_REQUEST ['debug'] )) — ini_set('display_errors', 1); ini_set('display_startup_errors', 1); ini_set('log_errors', 1); ini_set('error_reporting', E_ALL ^ E_NOTICE); As fast solution I comment //ini_set('error_reporting', E_ALL ^ E_NOTICE);
          landy Mike Stupalov added a comment -

          what exactly not fixed?
          all privileged users (user level >= 7) can see debug info in wui.

          you are using stable train? (than currently this fixed only in trunk)

          landy Mike Stupalov added a comment - what exactly not fixed? all privileged users (user level >= 7) can see debug info in wui. you are using stable train? (than currently this fixed only in trunk)
          kernel24 Vitaly Znachenok added a comment -

          Hello, I Update to 8137, not fixed. See same result.

          kernel24 Vitaly Znachenok added a comment - Hello, I Update to 8137, not fixed. See same result.
          landy Mike Stupalov added a comment -

          Fixed in 8137.

          landy Mike Stupalov added a comment - Fixed in 8137.

          People

            landy Mike Stupalov
            kernel24 Vitaly Znachenok
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: