Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Revealing Access to DB to anyone if DB is down or overloaded #1667

Closed
anonymous-matomo-user opened this issue Sep 1, 2010 · 6 comments
Closed

Revealing Access to DB to anyone if DB is down or overloaded #1667

anonymous-matomo-user opened this issue Sep 1, 2010 · 6 comments
Labels
Bug For errors / faults / flaws / inconsistencies etc. Critical Indicates the severity of an issue is very critical and the issue has a very high priority. wontfix If you can reproduce this issue, please reopen the issue or create a new one describing it.
Milestone
1.1

Comments

@anonymous-matomo-user
Copy link

If the MySQL Server is unavailable, Piwik's Zend PDO Class throws not only an error, it reveals Host, Username, Password, Port and Database.

This can be seen as severe security bug. At least the Password should be masked.

I've attached the page content below (all sensitive data has been replaced by XXXXXX)

PDO::__construct(): [2002] No such file or directory (trying to connect via unix:///var/run/mysqld/mysqld.sock) 
in '/var/www/libs/Zend/Db/Adapter/Pdo/Abstract.php' at the line 129

#0  Piwik_ErrorHandler(2, PDO::__construct(): [2002] No such file or directory (trying to connect via unix:///var/run/mysqld/mysqld.sock), /var/www/libs/Zend/Db/Adapter/Pdo/Abstract.php, 129, Array ([dsn] => mysql:host=XXXXXXXXX;dbname=XXXXXXXXXX;port=3306,[q] => ))
#1  PDO->__construct(mysql:host=XXXXXXXXX;dbname=XXXXXXXXX;port=3306, XXXXXXXXX, XXXXXXXXX, Array ([1002] => SET NAMES 'utf8')) called at [/var/www/libs/Zend/Db/Adapter/Pdo/Abstract.php:129]
#2  Zend_Db_Adapter_Pdo_Abstract->_connect() called at [/var/www/libs/Zend/Db/Adapter/Pdo/Mysql.php:96]
#3  Zend_Db_Adapter_Pdo_Mysql->_connect() called at [/var/www/core/Db/Adapter/Pdo/Mysql.php:31]
#4  Piwik_Db_Adapter_Pdo_Mysql->getConnection() called at [/var/www/core/Db/Adapter.php:49]
#5  Piwik_Db_Adapter::factory(PDO_MYSQL, Array ([host] => XXXXXXXXX,[username] => XXXXXXXXX,[password] => XXXXXXXXXXX,[dbname] => XXXXXXXXX,[port] => 3306,[charset] => utf8,[profiler] => 0)) called at [/var/www/core/Piwik.php:1444]
#6  Piwik::createDatabaseObject() called at [/var/www/core/FrontController.php:217]
#7  Piwik_FrontController->init() called at [/var/www/index.php:59]
@anonymous-matomo-user
Copy link
Author

I don't think you can blame Piwik for this. You shouldn't enable printing PHP errors in a production environment, let alone backtraces. Log them instead to a file or via syslog.

@anonymous-matomo-user
Copy link
Author

I'm not going to blame piwik for this. I've just tested this on mostly default setups.
Indeed, you're right to remark that logging shouldn't be done onsite, but as said, this is a really default behaviour across different distributions.
I wouldn't see this bug as closed.

@anonymous-matomo-user
Copy link
Author

Sorry for writing twice, but I've recently disabled this by settiing php's display_errors to Off.
This does NOT take any effect. Data is revealed as before.

@halfdan
Copy link
Member

halfdan commented Sep 1, 2010

Create a bootstrap.php in you Piwik root directory and add the following code:

<?php

define('PIWIK_DISPLAY_ERRORS', 0);

Have a look at http://dev.piwik.org/trac/wiki/API/IncludePiwikInYourProject for explanations.

I agree that this is an issue users might have with many hosting companies who leave display_errors = On. Piwik should recommend disabling errors during install maybe.

@robocoder
Copy link
Contributor

No. This exception is normally caught, and the user redirected to the installer. It sounds like you either have xdebug and/or disabled Piwik's Installation plugin.

Note: there's a buggy version of xdebug that would print a stacktrace even if the exception is caught.

@mattab
Copy link
Member

mattab commented Nov 16, 2010

This is a dupe of #1817

@anonymous-matomo-user anonymous-matomo-user added this to the Piwik 1.1 milestone Jul 8, 2014
@mattab mattab added the wontfix label Aug 3, 2014
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug For errors / faults / flaws / inconsistencies etc. Critical Indicates the severity of an issue is very critical and the issue has a very high priority. wontfix If you can reproduce this issue, please reopen the issue or create a new one describing it.
Projects
None yet
Milestone
1.1
Development

No branches or pull requests
4 participants
@halfdan @mattab @robocoder @anonymous-matomo-user