| Summary | horde disclosure of DB connection string in error message |
| Queue | Horde Base |
| Queue Version | HEAD |
| Type | Bug |
| State | Not A Bug |
| Priority | 1. Low |
| Owners | |
| Requester | liamr (at) deathstar (dot) org |
| Created | 03/10/2007 (6663 days ago) |
| Due | |
| Updated | 03/12/2007 (6661 days ago) |
| Assigned | 03/11/2007 (6662 days ago) |
| Resolved | 03/12/2007 (6661 days ago) |
| Github Issue Link | |
| Github Pull Request | |
| Milestone | |
| Patch | No |
Could the docs or the wiki explicitly mention that the DB object is
only dumped for administrators and not for the average user? I've
worried that we were exposing our DB connection information during DB
problems for years now.
State ⇒ Not A Bug
Administrator", but administrators get the dump of the DB object.
Is this the piece of documentation that suggests this behavior?
docs/INSTALL - section 5a:
a. In the ``Which users should be treated as administrators`` field enter a
comma separated list of user names of your choosing. This will control
who is allowed to make configuration changes, see passwords, potentially
add users, etc.
State ⇒ Feedback
only seeing this because you're an administrator.
Priority ⇒ 1. Low
Type ⇒ Bug
Summary ⇒ horde disclosure of DB connection string in error message
Queue ⇒ Horde Base
State ⇒ Unconfirmed
fatal error, it sends a print_r() of the DB object to the browser. It
exposes the database connection information for all the world to see,
and that's a terrible thing to do.
A fatal error has occurred
DB Error: connect failed
[line 90 of
/usr/local/projects/webmail/html-dev/horde/ingo/lib/Storage/sql.php]
Details (also in Horde's logfile):
object(DB_Error)#22 (8) {
["error_message_prefix"]=>
...
["dsn"]=>
array(13) {
["phptype"]=>
string(5) "mysql"
["dbsyntax"]=>
string(5) "mysql"
["username"]=>
string(5) "horde"
["password"]=>
string(9) "L3tM3In!"
["protocol"]=>
string(3) "tcp"
["hostspec"]=>
string(24) "mysql.example.com"
["port"]=>