Description
If code in user.py fails, internal IDs or password hashes might be revealed.
Steps to reproduce
Modify a user file or e.g. the pickle cache file so that the parsing routines break.
Details
This wiki.
Workaround
None known.
Discussion
Note that there haven't been reports of cases where the data was revealed automatically (without administrator's influence).
Since tracebacks are needed for debugging, we can't prevent them. The only way to fix this is to make user ids or hashed password safe to show to the world. Login by id or hashed password must be disabled as soon as possible.
- Wrong. We have to filter the tracebacks or mark modules as sensitive, disallowing cgitb to show locals from unsafe modules. You neither want to reveal salted hashes or session IDs.
- Wrong, security by hiding stuff it bad. The system should be secure even if you have access to all the ids and hashed password in the system. How will you fix bugs when your traceback does not show locals and function calls?
- Umm, that is completly stupid - you always have data in your system that others may not see. And hashed passwords are ones you don't want to offer strangers. This is not obscurity, it is security. Obscurity would be to show the traceback white-on-white. Debugging would work differently of course - send the error-log file to the devs instead of pointing them to the site.
- Wrong, security by hiding stuff it bad. The system should be secure even if you have access to all the ids and hashed password in the system. How will you fix bugs when your traceback does not show locals and function calls?
Plan
- Priority: High
- Assigned to: Alexander Schremmer
Status: Fixed in 2ecd1e6c084d, will be in MoinMoin 1.6