[mythtv-commits] Ticket #257: Sort of security issue: sensitive
data sent outside
MythTV
mythtv at cvs.mythtv.org
Wed Aug 24 17:04:18 UTC 2005
#257: Sort of security issue: sensitive data sent outside
-----------------------------------+----------------------------------------
Reporter: daniel.danner at gmx.net | Owner: xris
Type: defect | Status: new
Priority: minor | Milestone:
Component: mythweb | Version:
Severity: medium | Cc: |
-----------------------------------+----------------------------------------
I experienced something with mythweb that might be problematic considering
security.
When mythweb runs on any dyndns host (for example
'somemythweb.dnsalias.org'), and this line in conf.php remains unchanged
(because it looks like good automagic):
{{{
define('error_email',
'mythweb_errors@'.preg_replace('/.*?\b([\w\-]+\.[\w\-
]+)$/', '$1', server_domain));
}}}
...mythweb will send every PHP error report to
mythweb_errors at dnsalias.org, which potentially enables complete stranges
to read the report. This doesn't sound ''that'' evil at first, but I
noticed the following lines in such reports:
{{{
[PHP_AUTH_USER] => someuser
[PHP_AUTH_PW] => somepasswd
}}}
So if one's mythweb runs on a public server protected by some simple
mod_auth, and he doesn't look ''very'' carefully at his conf.php, his
login data could potentially be sent anywhere.
I was just thinking, you might want to change this default behaviour to
something like error_email=mythweb_errors at localhost...
--
Ticket URL: <http://cvs.mythtv.org/trac/ticket/257>
MythTV <http://www.mythtv.org/>
MythTV
More information about the mythtv-commits
mailing list