Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

array to string conversion in 2.14.0 in 3 places #8268

Closed
SR-mkuhn opened this issue Jul 2, 2015 · 4 comments
Closed

array to string conversion in 2.14.0 in 3 places #8268

SR-mkuhn opened this issue Jul 2, 2015 · 4 comments
Labels
wontfix If you can reproduce this issue, please reopen the issue or create a new one describing it.

Comments

@SR-mkuhn
Copy link

SR-mkuhn commented Jul 2, 2015

via http://forum.piwik.org/read.php?2,127703

There seems to happen array to string conversions in 3 places in Piwik 2.14.0:

WARNING: /srv/www/htdocs/piwik/core/Plugin/Report.php(799): Warning - ucfirst() expects parameter 1 to be string, array given - Piwik 2.14.0

public static function factory($module, $action):
...
  $api = $module . '.' . ucfirst($action);
...

WARNING: /srv/www/htdocs/piwik/core/Http/ControllerResolver.php(63): Notice - Array to string conversion - Piwik 2.14.0

public function getController($module, $action, array &$parameters):
...
   throw new Exception(sprintf("Action '%s' not found in the module '%s'", $action, $module));
...

WARNING: /srv/www/htdocs/piwik/core/Http/ControllerResolver.php(132): Warning - substr() expects parameter 1 to be string, array given - Piwik 2.14.0

in private function isReportMenuAction($action):
...
   $startsWithMenu = (Report::PREFIX_ACTION_IN_MENU === substr($action, 0, strlen(Report::PREFIX_ACTION_IN_MENU)));
...

Greetings
mkuhn
@tsteur
Copy link
Member

tsteur commented Jul 2, 2015

When does it happen? Can you let us know the steps to reproduce? Maybe you have a URL? Feel free to remove the domain of the URL and possible token_auth parameters

@SR-mkuhn
Copy link
Author

SR-mkuhn commented Jul 3, 2015

This happend during a penetration test via acunetix.

http://example.com/piwik/index.php?action[$acunetix]=1&form_login=erssdkay&form_nonce=dxxxxxxxxxxxxxxxxxxxxxxxxxxxd&form_password=g00dPa%24%24w0rD&form_password_bis=g00dPa%24%24w0rD&module=Login

This is from the data-field in the piwik-session table (database session handling is activated):
https://gist.github.com/SR-mkuhn/62934559874a8f2fddcc

As those errors pile up in this field, an attacker can fill a database easily.

@SR-mkuhn SR-mkuhn changed the title array to string conversion in 2.13.1 in 4 places array to string conversion in 2.14.0 in 3 places (was 2.13.1 in 4 places) Jul 9, 2015
@SR-mkuhn SR-mkuhn changed the title array to string conversion in 2.14.0 in 3 places (was 2.13.1 in 4 places) array to string conversion in 2.14.0 in 3 places Jul 9, 2015
@SR-mkuhn SR-mkuhn mentioned this issue Jul 9, 2015
Closed
@mattab
Copy link
Member

mattab commented Jul 15, 2015

Hi @SR-mkuhn
The payload is kinda designed to trigger warning and notices (ie. passing arrays instead of strings) so I don't think we need to fix these.

@mattab mattab closed this as completed Jul 15, 2015
@mattab mattab added the wontfix If you can reproduce this issue, please reopen the issue or create a new one describing it. label Jul 15, 2015
@SR-mkuhn
Copy link
Author

But wouldn't it be a security improvement to have a preliminary test if your inputs (and types) are sane?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
wontfix If you can reproduce this issue, please reopen the issue or create a new one describing it.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tsteur @mattab @SR-mkuhn