Opened 14 years ago

Closed 14 years ago

#257 closed defect (wontfix)

Sort of security issue: sensitive data sent outside

Reported by: daniel.danner@… Owned by: xris
Priority: minor Milestone: unknown
Component: mythweb Version:
Severity: medium Keywords:
Cc: Ticket locked: no

Description

I experienced something with mythweb that might be problematic considering security.

When mythweb runs on any dyndns host (for example 'somemythweb.dnsalias.org'), and this line in conf.php remains unchanged (because it looks like good automagic):

define('error_email', 'mythweb_errors@'.preg_replace('/.*?\b([\w\-]+\.[\w\-
]+)$/', '$1', server_domain));

...mythweb will send every PHP error report to mythweb_errors@…, which potentially enables complete stranges to read the report. This doesn't sound that evil at first, but I noticed the following lines in such reports:

[PHP_AUTH_USER] => someuser
[PHP_AUTH_PW] => somepasswd

So if one's mythweb runs on a public server protected by some simple mod_auth, and he doesn't look very carefully at his conf.php, his login data could potentially be sent anywhere.

I was just thinking, you might want to change this default behaviour to something like error_email=mythweb_errors@localhost...

Change History (1)

comment:1 Changed 14 years ago by xris

Resolution: wontfix
Status: newclosed

Not really a security risk, but an annoyance fo the admin of the server the user uses. however, this is more of a problem for the user who didn't read the instructions in the file. I may someday decide to leave this setting disabled by default, but for now I plan to leave it how it is and improve the documentation.

Note: See TracTickets for help on using tickets.