Problem/Motivation
A continuation of
🐛
Maintenance pages leak sensitive environment information.
Needs review
, additional faults were identified during the initial debugging that were not fixed as part of the Full Path Discovery issue..
This issue is being made in the public queue as:
- The fault is already publicly disclosed
- A Core committer has requested that issues like this be made in public
- The Drupal Security Team is aware of the issue from the previous thread and did not request it be moved into the private queue.
The maintenance pages core/authorize.php and update.php display sensitive error logs to users even with logging disabled.
The core/install.php was included in the previous issue and should be validated to ensure no additional concerns exist.
Mitigations: This fault generally requires actions outside of an attackers control to occur, including but not limited to, database failure, service account password expiration, misconfiguration of credentials by a site owner. Any early service being loaded may generate errors that could leak sensitive information, this issue should not be perceived as constrained to just the Database.
Sample error messages:
PDOException: SQLSTATE[HY000] [1044] Access denied for user 'db'@'%' to database 'db2' in Drupal\Component\DependencyInjection\PhpArrayContainer->createService() (line 77 of /var/www/html/web/core/lib/Drupal/Component/DependencyInjection/PhpArrayContainer.php).
Drupal\Core\Database\DatabaseAccessDeniedException: SQLSTATE[HY000] [1045] Access denied for user 'db'@'172.16.5.68' (using password: YES)
Priority to Critical as this relates to a publicly disclosed security vulnerability and may lead to a repeat of all Drupal Core releases since 8.0.0 being marked Vulnerable through normal security reporting channels.
Steps to reproduce
Set:
error_reporting(0);
$config['system.logging']['error_level'] = 'none';
$databases['default']['default']['database'] = "some_invalid_db_name";
Proposed resolution
Do not show sensitive error messages to anonymous users through any of the maintenance pages unless configured to do so.
MR 9403 had a significant amount of code towards a resolution.
Remaining tasks
Issue new CVE for this flaw (CWE-209, Error messages may reveal service account credentials) Impacted versions is >=8.0.0.
Create Patch
User interface changes
Introduced terminology
API changes
Data model changes
Release notes snippet