Maintenance Pages leak sensitive environment information - pt2

Created on 3 October 2024, 27 days ago

Problem/Motivation

A continuation of 🐛 Maintenance pages leak sensitive environment information. Needs review , additional faults were identified during the initial debugging that were not fixed as part of the Full Path Discovery issue..

This issue is being made in the public queue as:

  • The fault is already publicly disclosed
  • A Core committer has requested that issues like this be made in public
  • The Drupal Security Team is aware of the issue from the previous thread and did not request it be moved into the private queue.

The maintenance pages core/authorize.php and update.php display sensitive error logs to users even with logging disabled.

The core/install.php was included in the previous issue and should be validated to ensure no additional concerns exist.

Mitigations: This fault generally requires actions outside of an attackers control to occur, including but not limited to, database failure, service account password expiration, misconfiguration of credentials by a site owner. Any early service being loaded may generate errors that could leak sensitive information, this issue should not be perceived as constrained to just the Database.

Sample error messages:

PDOException: SQLSTATE[HY000] [1044] Access denied for user 'db'@'%' to database 'db2' in Drupal\Component\DependencyInjection\PhpArrayContainer->createService() (line 77 of /var/www/html/web/core/lib/Drupal/Component/DependencyInjection/PhpArrayContainer.php).

Drupal\Core\Database\DatabaseAccessDeniedException: SQLSTATE[HY000] [1045] Access denied for user 'db'@'172.16.5.68' (using password: YES)

Priority to Critical as this relates to a publicly disclosed security vulnerability and may lead to a repeat of all Drupal Core releases since 8.0.0 being marked Vulnerable through normal security reporting channels.

Steps to reproduce

Set:

error_reporting(0);
$config['system.logging']['error_level'] = 'none';
$databases['default']['default']['database'] = "some_invalid_db_name";

Proposed resolution

Do not show sensitive error messages to anonymous users through any of the maintenance pages unless configured to do so.

MR 9403 had a significant amount of code towards a resolution.

Remaining tasks

Issue new CVE for this flaw (CWE-209, Error messages may reveal service account credentials) Impacted versions is >=8.0.0.
Create Patch

User interface changes

Introduced terminology

API changes

Data model changes

Release notes snippet

🐛 Bug report
Status

Active

Version

11.0 🔥

Component

base system

Created by

🇺🇸United States cmlara

Live updates comments and jobs are added and updated live.
  • Security

    It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.

  • Security improvements

    It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

Sign in to follow issues

Comments & Activities

  • Issue created by @cmlara
  • 🇬🇧United Kingdom mcdruid 🇬🇧🇪🇺

    Tested this with up-to-date 11.x and 10.3.x

    I do see an error message at /core/authorize.php but the full path is not displayed e.g.

    The website encountered an unexpected error. Try again later.
    PDOException: SQLSTATE[HY000] [1044] Access denied for user 'db'@'%' to database 'some_invalid_db_name' in Drupal\Component\DependencyInjection\PhpArrayContainer->createService() (line 77 of core/lib/Drupal/Component/DependencyInjection/PhpArrayContainer.php).
    

    update.php just shows a simple "The website encountered an unexpected error. Try again later." message.

    I do not agree that this needs a CVE.

Production build 0.71.5 2024