[mythtv-commits] Ticket #257: Sort of security issue: sensitive data sent outside

MythTV mythtv at cvs.mythtv.org
Wed Aug 24 17:04:18 UTC 2005


#257: Sort of security issue: sensitive data sent outside
-----------------------------------+----------------------------------------
 Reporter:  daniel.danner at gmx.net  |       Owner:  xris
     Type:  defect                 |      Status:  new 
 Priority:  minor                  |   Milestone:      
Component:  mythweb                |     Version:      
 Severity:  medium                 |         Cc:                         |  
-----------------------------------+----------------------------------------
 I experienced something with mythweb that might be problematic considering
 security.

 When mythweb runs on any dyndns host (for example
 'somemythweb.dnsalias.org'), and this line in conf.php remains unchanged
 (because it looks like good automagic):
 {{{
 define('error_email',
 'mythweb_errors@'.preg_replace('/.*?\b([\w\-]+\.[\w\-
 ]+)$/', '$1', server_domain));
 }}}
 ...mythweb will send every PHP error report to
 mythweb_errors at dnsalias.org, which potentially enables complete stranges
 to read the report. This doesn't sound ''that'' evil at first, but I
 noticed the following lines in such reports:
 {{{
 [PHP_AUTH_USER] => someuser
 [PHP_AUTH_PW] => somepasswd
 }}}

 So if one's mythweb runs on a public server protected by some simple
 mod_auth, and he doesn't look ''very'' carefully at his conf.php, his
 login data could potentially be sent anywhere.

 I was just thinking, you might want to change this default behaviour to
 something like error_email=mythweb_errors at localhost...

-- 
Ticket URL: <http://cvs.mythtv.org/trac/ticket/257>
MythTV <http://www.mythtv.org/>
MythTV


More information about the mythtv-commits mailing list