New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Logging Errors in notifications can leak the super user token #7301
Comments
|
OK maybe it isn't a critical security bug as maybe this could only occur when |
one solution could be to remove XYZ whenever a notification wants to display |
If we want to globally fix this, I'd say that nothing that gets executed as super user should log to the current user (which could be anonymous). So logging for stuff executed as SU should not go to screen (because else it could happen somewhere else, not simply logging the token auth but logging anything related to SU or system). But is there a way to know whether we are currently in super user mode? |
More generally I think there should be a clear isolation between the current user request and "do as super user" stuff. Mixups and info leaks could happen with the logs but also maybe with anything that stores stuff in the session, maybe the cookies, maybe user settings, maybe stuff like activity log, etc, do you see anything else? In theory nothing user-related should be shared between those 2 contexts, just like if the super user stuff was running in a separate PHP process. E.g. imagine the activity log logs an action that was done by "doAsSuperUser" while running in an anonymous user's request. Not a security issue, but it's an example of a mixup between those 2 "contexts". |
Back to the issue here, the token is logged to screen but also to file. If that is not OK to log the token to file, maybe we should try to avoid logging the token at all in the first place? |
+1 |
Just a loose thought - wouldn't that kind of approach remove also useful things from logs ? |
Replacing |
Yes, I think. Also just got another thought - it could be configurable param in case we would like to actually see what token auth is being used (maybe for debuging scheduled reports - we could check if wrong token is reason for task failing or so). Probably there would be more cases when we would like to verify if proper token is being used for given API call |
I think so, +1 |
I have pushed a commit that does the replacement. Should we close this? |
Looks good to me |
The goal of this issue is to fix a security issue where the Super User token_auth can be leaked to non logged in users.
For example in my case I was not even logged in (I was
anonymous
user) and still, I was shown the Super User token auth!The error that was logged while I was anonymous was:
ERROR: Got invalid response from API request: http://localhost/piwik-master/index.php?module=API&method=CoreAdminHome.runScheduledTasks&format=csv&convertToUnicode=0&token_auth=9b1cefc915ff6180071fb7dcd13ec5a4&trigger=archivephp. Response was 'sendmail: fatal: open /etc/postfix/main.cf: No such file or directory task,output Piwik\Plugins\CoreAdminHome\Tasks.purgeOutdatedArchives,Time elapsed: 2.807s Piwik\Plugins\ExamplePlugin\Tasks.myTaskWithParam_anystring,Time elapsed: 0.000s Piwik\Plugins\ExamplePlugin\Tasks.myTask,Time elapsed: 0.000s Piwik\Plugins\ScheduledReports\API.sendReport_1,ERROR: An error occured while sending 'HTML Email Report - 1.2015-02-19.1.en.html' to test@test.com. Error was 'Unable to send mail. ' Piwik\Plugins\CoreAdminHome\Tasks.purgeInvalidatedArchives,Time elapsed: 0.001s Piwik\Plugins\PrivacyManager\Tasks.deleteReportData,Time elapsed: 0.002s Piwik\Plugins\PrivacyManager\Tasks.deleteLogData,Time elapsed: 0.002s Piwik\Plugins\CorePluginsAdmin\Tasks.clearAllCacheEntries,Time elapsed: 0.001s Piwik\Plugins\CorePluginsAdmin\Tasks.sendNotificationIfUpdatesAvailable,Time elapsed: 0.001s Piwik\Plugins\CoreAdminHome\Tasks.optimizeArchiveTable,Time elapsed: 0.131s Piwik\Plugins\UserCountry\GeoIPAutoUpdater.update,Time elapsed: 0.050s Piwik\Plugins\CoreUpdater\Tasks.sendNotificationIfUpdateAvailable,Time elapsed: 0.001s'
As you can see it leaks the token_auth.
This occurs because one of the scheduled task failed with an ERROR, here the error being
sendmail: fatal: open /etc/postfix/main.cf: No such file or directory
The text was updated successfully, but these errors were encountered: