New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix CVE-2018-15684 #60

Merged
merged 1 commit into from Oct 2, 2018

Conversation

Projects
None yet
3 participants
@rastating
Contributor

rastating commented Oct 1, 2018

This change fixes the issue previously disclosed regarding the unauthorised access to PHP log files via:

  1. Predictable file names
  2. Lack of directory index

The index.html file has been added to prevent the directory listing being displayed. The change to the database script will ensure that xbtit-errors remains the base name, but will append 16 characters (in the range of a-f and 0-9).

After completing an installation using these changes, the initial value of the log file can be seen to contain a random string below:

mysql> select * from xbtit3_settings where `key` = 'php_log_name';
+--------------+-------------------------------+
| key          | value                         |
+--------------+-------------------------------+
| php_log_name | xbtit-errors-e2a379d9314a8cb4 |
+--------------+-------------------------------+
1 row in set (0.00 sec)
@atmoner

This comment has been minimized.

Collaborator

atmoner commented Oct 1, 2018

Good idea!!
Can you check that backend file (https://github.com/btiteam/xbtit/blob/master/admin/admin.sitelog.php) is not affected by this change? (sorry, I can not afford to do the checks now)

I would validate the commit if it does not affect the log display ;)

@rastating

This comment has been minimized.

Contributor

rastating commented Oct 2, 2018

It shouldn't have any knock on effect, as they're two separate logs. The base name stored in php_log_name is the base name which can be configured by end users for the files stored in /include/logs/ which have the current date appended to them and then used to dump PHP errors that occur.

@Gh0st4unt3r Gh0st4unt3r merged commit bfe35a1 into btiteam:master Oct 2, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment