View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0020277 | mantisbt | security | public | 2015-11-16 15:48 | 2016-06-12 00:42 |
Reporter | atrol | Assigned To | atrol | ||
Priority | normal | Severity | major | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Product Version | 1.3.0-beta.1 | ||||
Target Version | 1.3.0-rc.2 | Fixed in Version | 1.3.0-rc.2 | ||
Summary | 0020277: CVE-2014-9759: SOAP API can be used to disclose confidential settings | ||||
Description | mc_config_get_string can be used to disclose confidential settings | ||||
Tags | No tags attached. | ||||
Attached Files | fix-20277.patch (2,036 bytes)
From 66e3da31089f51429dad402db5a49d97b4864367 Mon Sep 17 00:00:00 2001 From: Roland Becker <roland@atrol.de> Date: Mon, 16 Nov 2015 23:15:36 +0100 Subject: [PATCH] Add missing confidential options to function config_is_private Fixes #20277 Thanks @grangeway for pointing out master_crypto_salt vs. crypto_master_salt some while ago. --- core/config_api.php | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/core/config_api.php b/core/config_api.php index 8cace8c..20f3a2a 100644 --- a/core/config_api.php +++ b/core/config_api.php @@ -690,7 +690,12 @@ function config_is_private( $p_config_var ) { case 'database_name': case 'db_schema': case 'db_type': - case 'master_crypto_salt': + case 'db_table_prefix': + case 'db_table_plugin_prefix': + case 'db_table_suffix': + case 'use_persistent_connections': + case 'dsn': + case 'crypto_master_salt': case 'smtp_host': case 'smtp_username': case 'smtp_password': @@ -702,9 +707,11 @@ function config_is_private( $p_config_var ) { case 'class_path': case 'library_path': case 'language_path': + case 'config_path': case 'session_save_path': case 'session_handler': case 'session_validation': + case 'form_security_validation': case 'global_settings': case 'system_font_folder': case 'phpMailer_method': @@ -716,9 +723,12 @@ function config_is_private( $p_config_var ) { case 'ldap_root_dn': case 'ldap_organization': case 'ldap_uid_field': + case 'ldap_realname_field': case 'ldap_bind_dn': case 'ldap_bind_passwd': case 'use_ldap_email': + case 'use_ldap_realname': + case 'ldap_simulation_file_path': case 'ldap_protocol_version': case 'login_method': case 'cookie_path': @@ -732,6 +742,7 @@ function config_is_private( $p_config_var ) { case 'log_destination': case 'dot_tool': case 'neato_tool': + case 'debug_email': return true; # Marked obsolete in 1.3.0dev - keep here to make sure they are not disclosed by soap api. -- 2.4.9 (Apple Git-60) config_names.txt (3,152 bytes)
/** * The following list of configuration options is used to check if it is * allowed to query a specific configuration option by SOAP API * @global array $g_public_config_names */ $g_public_config_names = array( 'allow_signup', 'max_failed_login_count', 'notify_new_user_created_threshold_min', 'signup_use_captcha', 'lost_password_feature', 'max_lost_password_in_progress_count', 'antispam_max_event_count', 'antispam_time_window_in_seconds', 'webmaster_email', 'from_email', 'from_name', 'return_path_email', 'enable_email_notification','notify_flags', 'email_receive_own', 'validate_email','check_mx_record', 'allow_blank_email', 'show_user_email_threshold', 'show_user_realname_threshold', 'mail_priority', 'email_separator1','email_separator2', 'email_padding_length', 'show_version', 'version_suffix', 'copyright_statement', 'default_language','fallback_language', 'window_title', 'webmaster_email','favicon_image', 'logo_image', 'logo_url', 'enable_project_documentation','show_footer_menu', 'show_project_menu_bar', 'show_assigned_names', 'show_priority_text', 'priority_significant_threshold', 'severity_significant_threshold', 'show_bug_project_links', 'status_legend_position', 'status_percentage_legend', 'filter_position', 'action_button_position','show_product_version', 'show_version_dates_threshold', 'show_realname', 'differentiate_duplicates', 'sort_by_last_name','show_avatar', 'show_avatar_threshold', 'show_changelog_dates', 'show_roadmap_dates', 'cookie_time_length', 'allow_permanent_cookie', 'long_process_timeout', 'short_date_format', 'normal_date_format', 'complete_date_format', 'calendar_js_date_format', 'calendar_date_format', 'default_timezone', 'news_enabled', 'news_limit_method', 'news_view_limit','news_view_limit_days', 'private_news_threshold', 'default_new_account_access_level', 'default_project_view_status', 'default_bug_view_status', 'default_bug_steps_to_reproduce', 'default_bug_additional_info', 'default_bugnote_view_status', 'default_bug_resolution', 'default_bug_severity', 'default_bug_priority', 'default_bug_reproducibility', 'default_bug_projection', 'default_bug_eta', 'default_bug_relationship_clone', 'default_bug_relationship', 'default_category_for_moves', 'default_limit_view', 'default_show_changed', 'hide_status_default', 'show_sticky_issues', 'min_refresh_delay', 'default_refresh_delay', 'default_redirect_delay', 'default_bugnote_order', 'default_email_on_new', 'default_email_on_assigned', 'default_email_on_feedback', 'default_email_on_resolved', 'default_email_on_closed', 'default_email_on_reopened', 'default_email_on_bugnote', 'default_email_on_status', 'default_email_on_priority', 'default_email_on_new_minimum_severity', 'default_email_on_assigned_minimum_severity', 'default_email_on_feedback_minimum_severity', 'default_email_on_resolved_minimum_severity', 'default_email_on_closed_minimum_severity', 'default_email_on_reopened_minimum_severity', 'default_email_on_bugnote_minimum_severity', 'default_email_on_status_minimum_severity', 'default_email_on_priority_minimum_severity', 'default_email_bugnote_limit', ); fix-20277-2.patch (14,130 bytes)
From b858790ae3d1d17b4bfab46d29b3a3094360650e Mon Sep 17 00:00:00 2001 From: Roland Becker <roland@atrol.de> Date: Wed, 23 Dec 2015 20:32:10 +0100 Subject: [PATCH] Implement a white list of options that can be accessed via SOAP API Fixes #20277 --- config_defaults_inc.php | 347 ++++++++++++++++++++++++++ core/config_api.php | 63 +---- docbook/Admin_Guide/en-US/config/settings.xml | 6 + 3 files changed, 356 insertions(+), 60 deletions(-) diff --git a/config_defaults_inc.php b/config_defaults_inc.php index 780fd1f..62568ec 100644 --- a/config_defaults_inc.php +++ b/config_defaults_inc.php @@ -4265,6 +4265,353 @@ $g_global_settings = array( 'cdn_enabled' ); +/** + * The following list of configuration options is used to check if it is + * allowed to query a specific configuration option via SOAP API. + * @global array $g_public_config_names + */ +$g_public_config_names = array( + 'access_levels_enum_string', + 'action_button_position', + 'add_bugnote_threshold', + 'add_profile_threshold', + 'admin_site_threshold', + 'allow_account_delete', + 'allow_anonymous_login', + 'allow_blank_email', + 'allow_delete_own_attachments', + 'allow_download_own_attachments', + 'allow_file_upload', + 'allow_freetext_in_profile_fields', + 'allow_no_category', + 'allow_permanent_cookie', + 'allow_reporter_close', + 'allow_reporter_reopen', + 'allow_reporter_upload', + 'allow_signup', + 'allowed_files', + 'anonymous_account', + 'antispam_max_event_count', + 'antispam_time_window_in_seconds', + 'assign_sponsored_bugs_threshold', + 'auto_set_status_to_assigned', + 'backward_year_count', + 'bottom_include_page', + 'bug_assigned_status', + 'bug_closed_status_threshold', + 'bug_count_hyperlink_prefix', + 'bug_duplicate_resolution', + 'bug_feedback_status', + 'bug_link_tag', + 'bug_list_cookie', + 'bug_readonly_status_threshold', + 'bug_reminder_threshold', + 'bug_reopen_resolution', + 'bug_reopen_status', + 'bug_resolution_fixed_threshold', + 'bug_resolution_not_fixed_threshold', + 'bug_resolved_status_threshold', + 'bug_revision_drop_threshold', + 'bug_submit_status', + 'bugnote_link_tag', + 'bugnote_order', + 'bugnote_user_change_view_state_threshold', + 'bugnote_user_delete_threshold', + 'bugnote_user_edit_threshold', + 'calendar_date_format', + 'calendar_js_date_format', + 'cdn_enabled', + 'change_view_status_threshold', + 'check_mx_record', + 'complete_date_format', + 'compress_html', + 'cookie_prefix', + 'cookie_time_length', + 'copyright_statement', + 'create_permalink_threshold', + 'create_project_threshold', + 'create_short_url', + 'css_include_file', + 'css_rtl_include_file', + 'csv_add_bom', + 'csv_separator', + 'custom_field_edit_after_create', + 'custom_field_link_threshold', + 'custom_field_type_enum_string', + 'default_bug_additional_info', + 'default_bug_eta', + 'default_bug_priority', + 'default_bug_projection', + 'default_bug_relationship_clone', + 'default_bug_relationship', + 'default_bug_reproducibility', + 'default_bug_resolution', + 'default_bug_severity', + 'default_bug_steps_to_reproduce', + 'default_bug_view_status', + 'default_bugnote_order', + 'default_bugnote_view_status', + 'default_category_for_moves', + 'default_email_bugnote_limit', + 'default_email_on_assigned_minimum_severity', + 'default_email_on_assigned', + 'default_email_on_bugnote_minimum_severity', + 'default_email_on_bugnote', + 'default_email_on_closed_minimum_severity', + 'default_email_on_closed', + 'default_email_on_feedback_minimum_severity', + 'default_email_on_feedback', + 'default_email_on_new_minimum_severity', + 'default_email_on_new', + 'default_email_on_priority_minimum_severity', + 'default_email_on_priority', + 'default_email_on_reopened_minimum_severity', + 'default_email_on_reopened', + 'default_email_on_resolved_minimum_severity', + 'default_email_on_resolved', + 'default_email_on_status_minimum_severity', + 'default_email_on_status', + 'default_home_page', + 'default_language', + 'default_limit_view', + 'default_manage_tag_prefix', + 'default_manage_user_prefix', + 'default_new_account_access_level', + 'default_project_view_status', + 'default_redirect_delay', + 'default_refresh_delay', + 'default_reminder_view_status', + 'default_show_changed', + 'default_timezone', + 'delete_bug_threshold', + 'delete_bugnote_threshold', + 'delete_project_threshold', + 'development_team_threshold', + 'differentiate_duplicates', + 'disallowed_files', + 'display_bug_padding', + 'display_bugnote_padding', + 'display_project_padding', + 'download_attachments_threshold', + 'due_date_update_threshold', + 'due_date_view_threshold', + 'email_padding_length', + 'email_receive_own', + 'email_separator1', + 'email_separator2', + 'enable_email_notification', + 'enable_eta', + 'enable_product_build', + 'enable_profiles', + 'enable_project_documentation', + 'enable_projection', + 'enable_sponsorship', + 'eta_enum_string', + 'fallback_language', + 'favicon_image', + 'file_upload_max_num', + 'filter_by_custom_fields', + 'filter_custom_fields_per_row', + 'filter_position', + 'forward_year_count', + 'from_email', 'from_name', + 'handle_bug_threshold', + 'handle_sponsored_bugs_threshold', + 'hide_status_default', + 'history_default_visible', + 'history_order', + 'hr_size', + 'hr_width', + 'html_make_links', + 'html_valid_tags_single_line', + 'html_valid_tags', + 'inline_file_exts', + 'limit_reporters', + 'logo_image', + 'logo_url', + 'logout_cookie', + 'logout_redirect_page', + 'long_process_timeout', + 'lost_password_feature', + 'mail_priority', + 'manage_config_cookie', + 'manage_configuration_threshold', + 'manage_custom_fields_threshold', + 'manage_global_profile_threshold', + 'manage_news_threshold', + 'manage_plugin_threshold', + 'manage_project_threshold', + 'manage_site_threshold', + 'manage_user_threshold', + 'manage_users_cookie', + 'max_dropdown_length', + 'max_failed_login_count', + 'max_file_size', + 'max_lost_password_in_progress_count', + 'meta_include_file', + 'min_refresh_delay', + 'minimum_sponsorship_amount', + 'monitor_add_others_bug_threshold', + 'monitor_bug_threshold', + 'monitor_delete_others_bug_threshold', + 'move_bug_threshold', + 'my_view_boxes_fixed_position', + 'my_view_bug_count', + 'news_enabled', + 'news_limit_method', + 'news_view_limit_days', + 'news_view_limit', + 'normal_date_format', + 'notify_flags', + 'notify_new_user_created_threshold_min', + 'plugins_enabled', + 'preview_attachments_inline_max_size', + 'preview_max_height', + 'preview_max_width', + 'priority_enum_string', + 'priority_significant_threshold', + 'private_bug_threshold', + 'private_bugnote_threshold', + 'private_news_threshold', + 'private_project_threshold', + 'project_cookie', + 'project_status_enum_string', + 'project_user_threshold', + 'project_view_state_enum_string', + 'projection_enum_string', + 'reassign_on_feedback', + 'reauthentication_expiry', + 'reauthentication', + 'recently_visited_count', + 'relationship_graph_enable', + 'relationship_graph_fontname', + 'relationship_graph_fontsize', + 'relationship_graph_max_depth', + 'relationship_graph_orientation', + 'relationship_graph_view_on_click', + 'reminder_receive_threshold', + 'reminder_recipients_monitor_bug', + 'reopen_bug_threshold', + 'report_bug_threshold', + 'report_issues_for_unreleased_versions_threshold', + 'reporter_summary_limit', + 'reproducibility_enum_string', + 'resolution_enum_string', + 'return_path_email', + 'roadmap_update_threshold', + 'roadmap_view_threshold', + 'rss_enabled', + 'set_bug_sticky_threshold', + 'set_configuration_threshold', + 'set_view_status_threshold', + 'severity_enum_string', + 'severity_significant_threshold', + 'short_date_format', + 'show_assigned_names', + 'show_avatar_threshold', + 'show_avatar', + 'show_bug_project_links', + 'show_changelog_dates', + 'show_detailed_errors', + 'show_footer_menu', + 'show_log_threshold', + 'show_memory_usage', + 'show_monitor_list_threshold', + 'show_priority_text', + 'show_product_version', + 'show_project_menu_bar', + 'show_queries_count', + 'show_realname', + 'show_roadmap_dates', + 'show_sticky_issues', + 'show_timer', + 'show_user_email_threshold', + 'show_user_realname_threshold', + 'show_version_dates_threshold', + 'show_version', + 'signup_use_captcha', + 'sort_by_last_name', + 'sponsor_threshold', + 'sponsorship_currency', + 'sponsorship_enum_string', + 'status_enum_string', + 'status_legend_position', + 'status_percentage_legend', + 'stop_on_errors', + 'store_reminders', + 'stored_query_create_shared_threshold', + 'stored_query_create_threshold', + 'stored_query_use_threshold', + 'string_cookie', + 'subprojects_enabled', + 'subprojects_inherit_categories', + 'subprojects_inherit_versions', + 'summary_category_include_project', + 'tag_attach_threshold', + 'tag_create_threshold', + 'tag_detach_own_threshold', + 'tag_detach_threshold', + 'tag_edit_own_threshold', + 'tag_edit_threshold', + 'tag_separator', + 'tag_view_threshold', + 'time_tracking_edit_threshold', + 'time_tracking_enabled', + 'time_tracking_reporting_threshold', + 'time_tracking_stopwatch', + 'time_tracking_view_threshold', + 'time_tracking_with_billing', + 'time_tracking_without_note', + 'top_include_page', + 'update_bug_assign_threshold', + 'update_bug_status_threshold', + 'update_bug_threshold', + 'update_bugnote_threshold', + 'update_readonly_bug_threshold', + 'upload_bug_file_threshold', + 'upload_project_file_threshold', + 'use_dynamic_filters', + 'user_login_valid_regex', + 'validate_email', + 'version_suffix', + 'view_all_cookie', + 'view_attachments_threshold', + 'view_bug_threshold', + 'view_changelog_threshold', + 'view_configuration_threshold', + 'view_filters', + 'view_handler_threshold', + 'view_history_threshold', + 'view_proj_doc_threshold', + 'view_sponsorship_details_threshold', + 'view_sponsorship_total_threshold', + 'view_state_enum_string', + 'view_summary_threshold', + 'webmaster_email', + 'webmaster_email', + 'webmaster_email', + 'webmaster_email', + 'webmaster_email', + 'webservice_admin_access_level_threshold', + 'webservice_error_when_version_not_found', + 'webservice_eta_enum_default_when_not_found', + 'webservice_priority_enum_default_when_not_found', + 'webservice_projection_enum_default_when_not_found', + 'webservice_readonly_access_level_threshold', + 'webservice_readwrite_access_level_threshold', + 'webservice_resolution_enum_default_when_not_found', + 'webservice_severity_enum_default_when_not_found', + 'webservice_specify_reporter_on_add_access_level_threshold', + 'webservice_status_enum_default_when_not_found', + 'webservice_version_when_not_found', + 'wiki_enable', + 'wiki_engine_url', + 'wiki_engine', + 'wiki_root_namespace', + 'window_title', + 'wrap_in_preformatted_text' +); + # Temporary variables should not remain defined in global scope unset( $t_protocol, $t_host, $t_hosts, $t_port, $t_self, $t_path ); diff --git a/core/config_api.php b/core/config_api.php index 8cace8c..7b25293 100644 --- a/core/config_api.php +++ b/core/config_api.php @@ -677,71 +677,14 @@ function config_eval( $p_value, $p_global = false ) { } /** - * list of configuration variable which may expose web server details and should not be exposed to users or web services + * Check if a configuration variable should not be exposed to users or web services * * @param string $p_config_var Configuration option. * @return boolean */ function config_is_private( $p_config_var ) { - switch( $p_config_var ) { - case 'hostname': - case 'db_username': - case 'db_password': - case 'database_name': - case 'db_schema': - case 'db_type': - case 'master_crypto_salt': - case 'smtp_host': - case 'smtp_username': - case 'smtp_password': - case 'smtp_connection_mode': - case 'smtp_port': - case 'email_send_using_cronjob': - case 'absolute_path': - case 'core_path': - case 'class_path': - case 'library_path': - case 'language_path': - case 'session_save_path': - case 'session_handler': - case 'session_validation': - case 'global_settings': - case 'system_font_folder': - case 'phpMailer_method': - case 'attachments_file_permissions': - case 'file_upload_method': - case 'absolute_path_default_upload_folder': - case 'ldap_server': - case 'plugin_path': - case 'ldap_root_dn': - case 'ldap_organization': - case 'ldap_uid_field': - case 'ldap_bind_dn': - case 'ldap_bind_passwd': - case 'use_ldap_email': - case 'ldap_protocol_version': - case 'login_method': - case 'cookie_path': - case 'cookie_domain': - case 'bottom_include_page': - case 'top_include_page': - case 'css_include_file': - case 'css_rtl_include_file': - case 'meta_include_file': - case 'log_level': - case 'log_destination': - case 'dot_tool': - case 'neato_tool': - return true; - - # Marked obsolete in 1.3.0dev - keep here to make sure they are not disclosed by soap api. - # These can be removed once complete removal from config and db is enforced by upgrade process. - case 'file_upload_ftp_server': - case 'file_upload_ftp_user': - case 'file_upload_ftp_pass': - return true; - } + global $g_public_config_names; - return false; + return !in_array( $p_config_var, $g_public_config_names, true ); } diff --git a/docbook/Admin_Guide/en-US/config/settings.xml b/docbook/Admin_Guide/en-US/config/settings.xml index 066b0e3..548e8f8 100644 --- a/docbook/Admin_Guide/en-US/config/settings.xml +++ b/docbook/Admin_Guide/en-US/config/settings.xml @@ -12,5 +12,11 @@ <para>This option contains the list of configuration options that are used to determine if it is allowed for a specific configuration option to be saved to or loaded from the database. Configuration options that are in the list are considered global only and hence are only configurable via the config_inc.php file and defaulted by config_defaults_inc.php file.</para> </listitem> </varlistentry> + <varlistentry> + <term>$g_public_config_names</term> + <listitem> + <para>This option contains a list of configuration options that can be queried via SOAP API.</para> + </listitem> + </varlistentry> </variablelist> </section> -- 2.5.4 (Apple Git-61) fix-20277-3.patch (14,284 bytes)
From 2962191af12908eefc5432b6362bdbc802951fdd Mon Sep 17 00:00:00 2001 From: Roland Becker <roland@atrol.de> Date: Wed, 23 Dec 2015 20:32:10 +0100 Subject: [PATCH] Implement a white list of options that can be accessed via SOAP API Fixes #20277 --- config_defaults_inc.php | 346 +++++++++++++++++++++++++- core/config_api.php | 63 +---- docbook/Admin_Guide/en-US/config/settings.xml | 6 + 3 files changed, 354 insertions(+), 61 deletions(-) diff --git a/config_defaults_inc.php b/config_defaults_inc.php index 780fd1f..9be2cb6 100644 --- a/config_defaults_inc.php +++ b/config_defaults_inc.php @@ -4262,7 +4262,351 @@ $g_global_settings = array( 'class_path','library_path', 'language_path', 'absolute_path_default_upload_folder', 'ldap_simulation_file_path', 'plugin_path', 'bottom_include_page', 'top_include_page', 'default_home_page', 'logout_redirect_page', 'manual_url', 'logo_url', 'wiki_engine_url', - 'cdn_enabled' + 'cdn_enabled', 'public_config_names' +); + +/** + * The following list of configuration options is used to check if it is + * allowed to query a specific configuration option via SOAP API. + * @global array $g_public_config_names + */ +$g_public_config_names = array( + 'access_levels_enum_string', + 'action_button_position', + 'add_bugnote_threshold', + 'add_profile_threshold', + 'admin_site_threshold', + 'allow_account_delete', + 'allow_anonymous_login', + 'allow_blank_email', + 'allow_delete_own_attachments', + 'allow_download_own_attachments', + 'allow_file_upload', + 'allow_freetext_in_profile_fields', + 'allow_no_category', + 'allow_permanent_cookie', + 'allow_reporter_close', + 'allow_reporter_reopen', + 'allow_reporter_upload', + 'allow_signup', + 'allowed_files', + 'anonymous_account', + 'antispam_max_event_count', + 'antispam_time_window_in_seconds', + 'assign_sponsored_bugs_threshold', + 'auto_set_status_to_assigned', + 'backward_year_count', + 'bottom_include_page', + 'bug_assigned_status', + 'bug_closed_status_threshold', + 'bug_count_hyperlink_prefix', + 'bug_duplicate_resolution', + 'bug_feedback_status', + 'bug_link_tag', + 'bug_list_cookie', + 'bug_readonly_status_threshold', + 'bug_reminder_threshold', + 'bug_reopen_resolution', + 'bug_reopen_status', + 'bug_resolution_fixed_threshold', + 'bug_resolution_not_fixed_threshold', + 'bug_resolved_status_threshold', + 'bug_revision_drop_threshold', + 'bug_submit_status', + 'bugnote_link_tag', + 'bugnote_order', + 'bugnote_user_change_view_state_threshold', + 'bugnote_user_delete_threshold', + 'bugnote_user_edit_threshold', + 'calendar_date_format', + 'calendar_js_date_format', + 'cdn_enabled', + 'change_view_status_threshold', + 'check_mx_record', + 'complete_date_format', + 'compress_html', + 'cookie_prefix', + 'cookie_time_length', + 'copyright_statement', + 'create_permalink_threshold', + 'create_project_threshold', + 'create_short_url', + 'css_include_file', + 'css_rtl_include_file', + 'csv_add_bom', + 'csv_separator', + 'custom_field_edit_after_create', + 'custom_field_link_threshold', + 'custom_field_type_enum_string', + 'default_bug_additional_info', + 'default_bug_eta', + 'default_bug_priority', + 'default_bug_projection', + 'default_bug_relationship_clone', + 'default_bug_relationship', + 'default_bug_reproducibility', + 'default_bug_resolution', + 'default_bug_severity', + 'default_bug_steps_to_reproduce', + 'default_bug_view_status', + 'default_bugnote_order', + 'default_bugnote_view_status', + 'default_category_for_moves', + 'default_email_bugnote_limit', + 'default_email_on_assigned_minimum_severity', + 'default_email_on_assigned', + 'default_email_on_bugnote_minimum_severity', + 'default_email_on_bugnote', + 'default_email_on_closed_minimum_severity', + 'default_email_on_closed', + 'default_email_on_feedback_minimum_severity', + 'default_email_on_feedback', + 'default_email_on_new_minimum_severity', + 'default_email_on_new', + 'default_email_on_priority_minimum_severity', + 'default_email_on_priority', + 'default_email_on_reopened_minimum_severity', + 'default_email_on_reopened', + 'default_email_on_resolved_minimum_severity', + 'default_email_on_resolved', + 'default_email_on_status_minimum_severity', + 'default_email_on_status', + 'default_home_page', + 'default_language', + 'default_limit_view', + 'default_manage_tag_prefix', + 'default_manage_user_prefix', + 'default_new_account_access_level', + 'default_project_view_status', + 'default_redirect_delay', + 'default_refresh_delay', + 'default_reminder_view_status', + 'default_show_changed', + 'default_timezone', + 'delete_bug_threshold', + 'delete_bugnote_threshold', + 'delete_project_threshold', + 'development_team_threshold', + 'differentiate_duplicates', + 'disallowed_files', + 'display_bug_padding', + 'display_bugnote_padding', + 'display_project_padding', + 'download_attachments_threshold', + 'due_date_update_threshold', + 'due_date_view_threshold', + 'email_padding_length', + 'email_receive_own', + 'email_separator1', + 'email_separator2', + 'enable_email_notification', + 'enable_eta', + 'enable_product_build', + 'enable_profiles', + 'enable_project_documentation', + 'enable_projection', + 'enable_sponsorship', + 'eta_enum_string', + 'fallback_language', + 'favicon_image', + 'file_upload_max_num', + 'filter_by_custom_fields', + 'filter_custom_fields_per_row', + 'filter_position', + 'forward_year_count', + 'from_email', + 'from_name', + 'handle_bug_threshold', + 'handle_sponsored_bugs_threshold', + 'hide_status_default', + 'history_default_visible', + 'history_order', + 'hr_size', + 'hr_width', + 'html_make_links', + 'html_valid_tags_single_line', + 'html_valid_tags', + 'inline_file_exts', + 'limit_reporters', + 'logo_image', + 'logo_url', + 'logout_cookie', + 'logout_redirect_page', + 'long_process_timeout', + 'lost_password_feature', + 'mail_priority', + 'manage_config_cookie', + 'manage_configuration_threshold', + 'manage_custom_fields_threshold', + 'manage_global_profile_threshold', + 'manage_news_threshold', + 'manage_plugin_threshold', + 'manage_project_threshold', + 'manage_site_threshold', + 'manage_user_threshold', + 'manage_users_cookie', + 'max_dropdown_length', + 'max_failed_login_count', + 'max_file_size', + 'max_lost_password_in_progress_count', + 'meta_include_file', + 'min_refresh_delay', + 'minimum_sponsorship_amount', + 'monitor_add_others_bug_threshold', + 'monitor_bug_threshold', + 'monitor_delete_others_bug_threshold', + 'move_bug_threshold', + 'my_view_boxes_fixed_position', + 'my_view_bug_count', + 'news_enabled', + 'news_limit_method', + 'news_view_limit_days', + 'news_view_limit', + 'normal_date_format', + 'notify_flags', + 'notify_new_user_created_threshold_min', + 'plugins_enabled', + 'preview_attachments_inline_max_size', + 'preview_max_height', + 'preview_max_width', + 'priority_enum_string', + 'priority_significant_threshold', + 'private_bug_threshold', + 'private_bugnote_threshold', + 'private_news_threshold', + 'private_project_threshold', + 'project_cookie', + 'project_status_enum_string', + 'project_user_threshold', + 'project_view_state_enum_string', + 'projection_enum_string', + 'reassign_on_feedback', + 'reauthentication_expiry', + 'reauthentication', + 'recently_visited_count', + 'relationship_graph_enable', + 'relationship_graph_fontname', + 'relationship_graph_fontsize', + 'relationship_graph_max_depth', + 'relationship_graph_orientation', + 'relationship_graph_view_on_click', + 'reminder_receive_threshold', + 'reminder_recipients_monitor_bug', + 'reopen_bug_threshold', + 'report_bug_threshold', + 'report_issues_for_unreleased_versions_threshold', + 'reporter_summary_limit', + 'reproducibility_enum_string', + 'resolution_enum_string', + 'return_path_email', + 'roadmap_update_threshold', + 'roadmap_view_threshold', + 'rss_enabled', + 'set_bug_sticky_threshold', + 'set_configuration_threshold', + 'set_view_status_threshold', + 'severity_enum_string', + 'severity_significant_threshold', + 'short_date_format', + 'show_assigned_names', + 'show_avatar_threshold', + 'show_avatar', + 'show_bug_project_links', + 'show_changelog_dates', + 'show_detailed_errors', + 'show_footer_menu', + 'show_log_threshold', + 'show_memory_usage', + 'show_monitor_list_threshold', + 'show_priority_text', + 'show_product_version', + 'show_project_menu_bar', + 'show_queries_count', + 'show_realname', + 'show_roadmap_dates', + 'show_sticky_issues', + 'show_timer', + 'show_user_email_threshold', + 'show_user_realname_threshold', + 'show_version_dates_threshold', + 'show_version', + 'signup_use_captcha', + 'sort_by_last_name', + 'sponsor_threshold', + 'sponsorship_currency', + 'sponsorship_enum_string', + 'status_enum_string', + 'status_legend_position', + 'status_percentage_legend', + 'stop_on_errors', + 'store_reminders', + 'stored_query_create_shared_threshold', + 'stored_query_create_threshold', + 'stored_query_use_threshold', + 'string_cookie', + 'subprojects_enabled', + 'subprojects_inherit_categories', + 'subprojects_inherit_versions', + 'summary_category_include_project', + 'tag_attach_threshold', + 'tag_create_threshold', + 'tag_detach_own_threshold', + 'tag_detach_threshold', + 'tag_edit_own_threshold', + 'tag_edit_threshold', + 'tag_separator', + 'tag_view_threshold', + 'time_tracking_edit_threshold', + 'time_tracking_enabled', + 'time_tracking_reporting_threshold', + 'time_tracking_stopwatch', + 'time_tracking_view_threshold', + 'time_tracking_with_billing', + 'time_tracking_without_note', + 'top_include_page', + 'update_bug_assign_threshold', + 'update_bug_status_threshold', + 'update_bug_threshold', + 'update_bugnote_threshold', + 'update_readonly_bug_threshold', + 'upload_bug_file_threshold', + 'upload_project_file_threshold', + 'use_dynamic_filters', + 'user_login_valid_regex', + 'validate_email', + 'version_suffix', + 'view_all_cookie', + 'view_attachments_threshold', + 'view_bug_threshold', + 'view_changelog_threshold', + 'view_configuration_threshold', + 'view_filters', + 'view_handler_threshold', + 'view_history_threshold', + 'view_proj_doc_threshold', + 'view_sponsorship_details_threshold', + 'view_sponsorship_total_threshold', + 'view_state_enum_string', + 'view_summary_threshold', + 'webmaster_email', + 'webservice_admin_access_level_threshold', + 'webservice_error_when_version_not_found', + 'webservice_eta_enum_default_when_not_found', + 'webservice_priority_enum_default_when_not_found', + 'webservice_projection_enum_default_when_not_found', + 'webservice_readonly_access_level_threshold', + 'webservice_readwrite_access_level_threshold', + 'webservice_resolution_enum_default_when_not_found', + 'webservice_severity_enum_default_when_not_found', + 'webservice_specify_reporter_on_add_access_level_threshold', + 'webservice_status_enum_default_when_not_found', + 'webservice_version_when_not_found', + 'wiki_enable', + 'wiki_engine_url', + 'wiki_engine', + 'wiki_root_namespace', + 'window_title', + 'wrap_in_preformatted_text' ); # Temporary variables should not remain defined in global scope diff --git a/core/config_api.php b/core/config_api.php index 8cace8c..7b25293 100644 --- a/core/config_api.php +++ b/core/config_api.php @@ -677,71 +677,14 @@ function config_eval( $p_value, $p_global = false ) { } /** - * list of configuration variable which may expose web server details and should not be exposed to users or web services + * Check if a configuration variable should not be exposed to users or web services * * @param string $p_config_var Configuration option. * @return boolean */ function config_is_private( $p_config_var ) { - switch( $p_config_var ) { - case 'hostname': - case 'db_username': - case 'db_password': - case 'database_name': - case 'db_schema': - case 'db_type': - case 'master_crypto_salt': - case 'smtp_host': - case 'smtp_username': - case 'smtp_password': - case 'smtp_connection_mode': - case 'smtp_port': - case 'email_send_using_cronjob': - case 'absolute_path': - case 'core_path': - case 'class_path': - case 'library_path': - case 'language_path': - case 'session_save_path': - case 'session_handler': - case 'session_validation': - case 'global_settings': - case 'system_font_folder': - case 'phpMailer_method': - case 'attachments_file_permissions': - case 'file_upload_method': - case 'absolute_path_default_upload_folder': - case 'ldap_server': - case 'plugin_path': - case 'ldap_root_dn': - case 'ldap_organization': - case 'ldap_uid_field': - case 'ldap_bind_dn': - case 'ldap_bind_passwd': - case 'use_ldap_email': - case 'ldap_protocol_version': - case 'login_method': - case 'cookie_path': - case 'cookie_domain': - case 'bottom_include_page': - case 'top_include_page': - case 'css_include_file': - case 'css_rtl_include_file': - case 'meta_include_file': - case 'log_level': - case 'log_destination': - case 'dot_tool': - case 'neato_tool': - return true; - - # Marked obsolete in 1.3.0dev - keep here to make sure they are not disclosed by soap api. - # These can be removed once complete removal from config and db is enforced by upgrade process. - case 'file_upload_ftp_server': - case 'file_upload_ftp_user': - case 'file_upload_ftp_pass': - return true; - } + global $g_public_config_names; - return false; + return !in_array( $p_config_var, $g_public_config_names, true ); } diff --git a/docbook/Admin_Guide/en-US/config/settings.xml b/docbook/Admin_Guide/en-US/config/settings.xml index 066b0e3..548e8f8 100644 --- a/docbook/Admin_Guide/en-US/config/settings.xml +++ b/docbook/Admin_Guide/en-US/config/settings.xml @@ -12,5 +12,11 @@ <para>This option contains the list of configuration options that are used to determine if it is allowed for a specific configuration option to be saved to or loaded from the database. Configuration options that are in the list are considered global only and hence are only configurable via the config_inc.php file and defaulted by config_defaults_inc.php file.</para> </listitem> </varlistentry> + <varlistentry> + <term>$g_public_config_names</term> + <listitem> + <para>This option contains a list of configuration options that can be queried via SOAP API.</para> + </listitem> + </varlistentry> </variablelist> </section> -- 2.5.4 (Apple Git-61) | ||||
related to | 0020468 | new | Create API to let plugins add configs to public_config_names |
Reminder sent to: dregad, rombert, vboctor Please have a look at the attached patch. |
|
Thanks atrol. I agree this is a major issue. I will request a CVE for this; do you have more information about grangeway's involvement ? This is to ensure proper credit is given for the finding. |
|
Patch looks good to me, thanks for preparing it. |
|
[Edit] |
|
|
|
It's not a question of the type of version (alpha/beta/rc), the CVE is needed beause the version has been published. Thanks for the link. I also found it by going through Paul's PRs on Github, he was not fixing as many issues as you did in the attached patch. |
|
The patch looks good. Looks like you have reviewed the full list of config options and added the ones that don't make sense. Do we need a simpler patch to associate with the security advisory? One that hides the ones that are security risks? For example 'use_ldap_realname' is not a security risk. Not a big deal, but we don't want to scope to be bigger than the minimum change. I wonder if we should make a change that makes it less likely to have such issues in the future. For example:
Not necessarily great options, but I wondering if there is a good decoration / annotation that we can use in context to make such slips less likely to happen in the future. |
|
I think it is. |
|
Makes sense. However, we should note in the advisory that accessing this method required a registered user with access webservice_readonly_access_level_threshold (VIEWER by default). Or anonymous access being enabled which provides the same. I wonder if the same API can be used to pull any global variable with $g_ prefix. For example, the global variables in the core APIs. I was thinking that it would be nice to consider moving our configs to json in the future. With that, I wonder if we can have a config definition that has all the meta-data about a config option, e.g. name, type, visibility, regexp/options (for config UI - though ideally we have native UI for our configs). |
|
E.g. you can try to get contents of $g_cache_config The bad thing is, that someone might implement the array to string conversion for useful functionality without being aware that he will introduce a security issue. |
|
That is why 0020277:0051868 may be a good option where we have to explicitly make config options public rather than the other way around. |
|
What's the plan with this? Are we going to go with the white listing approach by defining config_is_public() ? @atrol what's your plan for this? |
|
I will provide another patch based on a white list approach. |
|
Reminder sent to: dregad, rombert, vboctor I would like to be sure that I am on the right track. |
|
@atrol that is what I had in mind. I wonder if it would be better to sort the config options alphabetically, one per line. |
|
That's the price to pay for having so many different configs...
+1, would make maintenance easier For PHPDoc block, add a short description on first line ending with a '.', e.g. |
|
Attached a new patch. |
|
Looks good. Few comments:
|
|
BTW, I forgot to add $g_public_config_names to $g_global_settings Attached new patch. |
|
Overall I think this looks good. At some point I worried that it will be easy to overlook adding new 'public' configuration options to the whitelist as we create them, but I don't think doing something more elaborate is worth it. |
|
Looks good. I wonder if we should call the config option 'config_names_public' or 'config_public', so that if we add others in the future, they will be grouped together. e.g. config_names_sensitive or config_names_private or whatever. Don't have a scenario right now, but I have started using this convention sometime ago. Let's go ahead with the next steps on this. |
|
0020277:0051852 |
|
Not yet, I usually don't until a patch is available, since announcing it on the ML is effectively making the vulnerability public. If you think 'fix-20277-3.patch' is the final one, I'll go ahead and get the CVE. Let me know. |
|
So I think 'fix-20277-3.patch' is the final one from my side. Not sure if this is worth delaying the fix
Keep in mind that I will have limited internet access until next Monday. |
|
For the CVE: does the issue only affect 1.3.x ? I mean, crypto_master_salt obviously does not exist in 1.2, but the switch from blacklist to whitelist potentially changes the available configs. Should this be backported ?
I think we do, but that can be treated as a separate issue (see 0020468) |
|
I am not aware that there is any option in 1.2 accessible via SOAP that decreases security the same degree like crypto_master_salt did in 1.3. crypto_master_salt has been introduced to improve security by design, but was complete useless before the patch. So I think that a backport to 1.2 is not bad but is not needed. |
|
Reopened to track the CVE request process; will reassign to you once it's done |
|
CVE request http://permalink.gmane.org/gmane.comp.security.oss.general/18479 |
|
CVE assignment http://thread.gmane.org/gmane.comp.security.oss.general/18479/focus=18483 |
|
MantisBT: master 7927c275 2015-12-23 09:32 Committer: dregad Details Diff |
Implement a white list of options accessible via SOAP API This is a safer approach than the previous blacklist method, which could potentially allow confidential information disclosure if a config were added or renamed without a matching change in config_is_private() function. Fixes 0020277 Original commit modified: comments and commit message wording. Signed-off-by: Damien Regad <dregad@mantisbt.org> |
Affected Issues 0020277 |
|
mod - config_defaults_inc.php | Diff File | ||
mod - core/config_api.php | Diff File | ||
mod - docbook/Admin_Guide/en-US/config/settings.xml | Diff File |