View Issue Details

Jump to NotesJump to History
This bug affects 1 person(s).
 256
IDProjectCategoryView StatusDate SubmittedLast Update
19611Bug reportsSecuritypublic2024-06-13 13:022024-06-18 10:20
ReporterMazi Assigned Totibor.pacalat  
PrioritynoneSeveritypartial_block 
Status closedResolutionwon't fix 
Product Version6.5.x 
Summary19611: Security: Remove sensitive information like passwords from phpinfo
Description

This is the first time I have seen this, but there may be some systems for which phpinfo exposes very sensitive data like the DB password, see attached screenshot.

A default admin user with permissions to access phpinfo could get access to data they should not see.

Question is: Can we somehow remove such details from the default phpinfo?

Steps To Reproduce

Steps to reproduce

This may be difficult to reproduce since the customer uses a special Kubernetes setup which is pretty custom. I have never seen such details at a phpinfo before.

Expected result

(Write here what you expected to happen)

Actual result

(Write here what happened instead)

TagsNo tags attached.
Bug heat256
Complete LimeSurvey version number (& build)6.5.3
I will donate to the project if issue is resolvedNo
Browser
Database type & versionMySQL
Server OS (if known)
Webserver software & version (if known)
PHP Version8.2

Users monitoring this issue

There are no users monitoring this issue.

Activities

Mazi

Mazi

2024-06-13 13:03

updater   ~80323

@DenisChenu, have you ever seen an exposure like this before?
tibor.pacalat

tibor.pacalat

2024-06-13 16:57

administrator   ~80331

Hmm, from looking at the code I don't think anyone except superadmin can see this info

Screenshot 2024-06-13 at 16.56.33.png (51,403 bytes)   
Screenshot 2024-06-13 at 16.56.33.png (51,403 bytes)   
DenisChenu

DenisChenu

2024-06-13 17:19

developer   ~80335

I don't see it on your screenhost : too little.
ENV parameters ?
We can not know if we allow it or not. Else : except restriction to ForcedSuperAdmin (user 1 by default) no reason to enforce more.

The fix are not so old about restriction, maybe forcedsuperadmin only ?
tibor.pacalat

tibor.pacalat

2024-06-13 17:39

administrator   ~80338

@DenisChenu I don't understand what you wrote, sorry.
Afaik there are no restrictions what is shown via phpinfo. So there could be some ENV vars that are unwillingly exposed this way, but I would say this is the issue of setting them improperly. Or am I seeing this wrong?
DenisChenu

DenisChenu

2024-06-13 18:15

developer   ~80343

@DenisChenu I don't understand what you wrote, sorry.

You mean about ForcedSuperAdmin ? I mean : by defult : user #1 have access to all since he have access to FTP and DB parameters. Simple super admin didn't have access to all. Then maybe restriction to forced super admin

reference
https://github.com/LimeSurvey/LimeSurvey/blob/f529dfb14c5ec2d05864614bc9ec0c7db1eefb20/application/models/Permission.php#L637
https://github.com/LimeSurvey/LimeSurvey/blob/f529dfb14c5ec2d05864614bc9ec0c7db1eefb20/application/config/config-defaults.php#L673
https://github.com/LimeSurvey/LimeSurvey/pull/3801
DenisChenu

DenisChenu

2024-06-13 18:16

developer   ~80344

but I would say this is the issue of setting them improperly. Or am I seeing this wrong?

:+1:
Mazi

Mazi

2024-06-13 19:40

updater   ~80349

Looks like only superadmins can access this.

And it surely is a thing of setting ENV variables (wrong) and then these can get exposed.
Question is if we have any chance to filter such an exposure?
DenisChenu

DenisChenu

2024-06-13 20:28

developer   ~80350

Question is if we have any chance to filter such an exposure?

Clearly not,

  1. Unsure this can be done ( remove ENV)
  2. You can want to know if some ENV are set (for example : production/prepro etc …)
tibor.pacalat

tibor.pacalat

2024-06-14 10:11

administrator   ~80362

As I see it, this is not an issue on the application side -> closing this issue.
Mazi

Mazi

2024-06-18 10:10

updater   ~80384

@tibor.pacalat: Can you remove the screenshot I attached and make this public?
DenisChenu

DenisChenu

2024-06-18 10:20

developer   ~80385

Done

Issue History

Date Modified Username Field Change
2024-06-13 13:02 Mazi New Issue
2024-06-13 13:02 Mazi File Added: image.png
2024-06-13 13:02 Mazi Assigned To => tibor.pacalat
2024-06-13 13:02 Mazi Status new => assigned
2024-06-13 13:03 Mazi Note Added: 80323
2024-06-13 13:03 Mazi Bug heat 256 => 258
2024-06-13 16:57 tibor.pacalat Note Added: 80331
2024-06-13 16:57 tibor.pacalat File Added: Screenshot 2024-06-13 at 16.56.33.png
2024-06-13 16:57 tibor.pacalat Bug heat 258 => 260
2024-06-13 17:19 DenisChenu Note Added: 80335
2024-06-13 17:19 DenisChenu Bug heat 260 => 262
2024-06-13 17:39 tibor.pacalat Note Added: 80338
2024-06-13 18:15 DenisChenu Note Added: 80343
2024-06-13 18:16 DenisChenu Note Added: 80344
2024-06-13 19:40 Mazi Note Added: 80349
2024-06-13 20:28 DenisChenu Note Added: 80350
2024-06-14 10:11 tibor.pacalat Note Added: 80362
2024-06-14 10:11 tibor.pacalat Status assigned => closed
2024-06-14 10:11 tibor.pacalat Resolution open => won't fix
2024-06-18 10:10 Mazi Note Added: 80384
2024-06-18 10:20 DenisChenu File Deleted: image.png
2024-06-18 10:20 DenisChenu View Status private => public
2024-06-18 10:20 DenisChenu Bug heat 262 => 256
2024-06-18 10:20 DenisChenu Note Added: 80385