Actions
Improvement #2036
closedxmera Omnia - Bug #2054: Bug fixing in DMS, Project Types, and Issue Sync
Information disclosure of database request details
Start date:
Due date:
% Done:
100%
Estimated time:
Compatible Redmine Version:
Pull Request Link:
Description
When executing https://domain.tld/preview/text?text=%0A%0A%0A{{dmsf(%27)}}& the system leaks information about database requests:
Fehler bei der Ausführung des Makros dmsf (Couldn't find DmsfFile with 'id'=' [WHERE `dmsf_files`.`deleted` = ?])
When executing https://domain.tld/preview/text?text=%0A%0A%0A{{dmsff(%27)}}& the system leaks even more information about database requests:
Fehler bei der Ausführung des Makros dmsff (Couldn't find DmsfFolder with 'id'=1000 [WHERE `dmsf_folders`.`deleted` = ? AND (projects.status <> 9 AND projects.status <> 10 AND EXISTS (SELECT 1 AS one FROM enabled_modules em WHERE em.project_id = projects.id AND em.name='dmsf'))])
You could hide this information by raising not ActiveRecord::RecordNotFound with its detailed information attached but raising a String like l(:notice_record_not_found) or something more specific to the underlying object.
This vulnerability has no probability to be used and no estimated risk according to our pentest report.
Updated by liaham about 1 year ago
- Related to Improvement #1809: How to communicate permission problems with macros added
Updated by liaham about 1 year ago
- Related to deleted (Improvement #1809: How to communicate permission problems with macros)
Updated by liaham about 1 year ago
- Is duplicate of Improvement #1809: How to communicate permission problems with macros added
Updated by liaham about 1 year ago
- Status changed from New to Closed
- % Done changed from 0 to 100
Updated by liaham about 1 year ago
- Target version changed from unreleased to 3.1.4-xmr
Actions