Revealing passwords

**xeberdee** · 11/12/2010, 09:18

After updating my site I noticed after about a week errors turning up in sections (news). The error page suggested putting the add global errors section to the config file. I did so and the errors looked like this....

Warning: ftp_login():Login incorrect. in /mypath/mywebsite/system/libraries/FTP.php on line 108
#0[internal function]: __error(2, 'ftp_login(): Lo...', '/mypath/mywebsite/...', 108, Array)
#1 /mypath/mywebsite/system/libraries/FTP.php(108): ftp_login(Resource id #230, 'MY_FTP_USER', 'MY_FTP_PASSWORD')
#2 /mypath/mywebsite/system/libraries/FTP.php(287): FTP->connect()
#3 /mypath/mywebsite/system/libraries/Controller.php(971): FTP->chmod('system/html/Man...', 420)
#4 /mypath/mywebsite/system/libraries/Controller.php(2651): Controller->getImage('tl_files/mediet...', '156', '156', NULL)
#5 /mypath/mywebsite/system/modules/news/ModuleNews.php(174): Controller->addImageToTemplate(Object(FrontendTemplate), Array)
#6 /mypath/mywebsite/system/modules/news/ModuleNewsList.php(145): ModuleNews->parseArticles(Object(DB_Mysql_Result))
#7 /mypath/mywebsite/system/modules/frontend/Module.php(129): ModuleNewsList->compile()
#8 /mypath/mywebsite/system/modules/news/ModuleNewsList.php(77): Module->generate()
#9 /mypath/mywebsite/system/modules/frontend/ContentModule.php(72): ModuleNewsList->generate()
#10 /mypath/mywebsite/system/libraries/Controller.php(415): ContentModule->generate()
#11 /mypath/mywebsite/system/modules/frontend/ModuleArticle.php(173): Controller->getContentElement('160')
#12 /mypath/mywebsite/system/modules/frontend/Module.php(129): ModuleArticle->compile()
#13 /mypath/mywebsite/system/modules/frontend/ModuleArticle.php(71): Module->generate()
#14 /mypath/mywebsite/system/libraries/Controller.php(348): ModuleArticle->generate(false)
#15 /mypath/mywebsite/system/libraries/Controller.php(221): Controller->getArticle('59', false, false, 'main')
#16 /mypath/mywebsite/system/modules/frontend/PageRegular.php(71): Controller->getFrontendModule('0', 'main')
#17 /mypath/mywebsite/index.php(198): PageRegular->generate(Object(DB_Mysql_Result))
#18 /mypath/mywebsite/index.php(329): Index-

I'm wondering and worried if it's a good idea to reveal the username and password in plain text - I guess if I changed my password only then the script would actually reveal my current username, and if I changed my username but used the same password then it would reveal the current password.

I would much rather see ******** instead of MYPASSWORD.

----

imported_Nina · 11/12/2010, 10:12

Hm, I've never seen that before. I'll show this to Leo, so that he can tell you if that behaviour is coming from your Server or if that really happens in Contao. Thanks for mentioning it!

**Vera** · 11/12/2010, 12:54

By default Contao shows no error messages, this has been manually enabled in the localconfig file. (sorry for not seeing this was mentioned in the original post already)

Making sure an SQL errormessage does not contain a password would seem a bit hard unless the passwords can be stored in some encrypted way or something. But let's leave that up to Leo :P

**xeberdee** · 11/12/2010, 14:17

Yes - like I said I enabled global error messages in the config file.

On investigating further, I can see that it has to do with news items images - each page on the website with images in news items is trying to connect via ftp - I can't imagine why that would be the case - except...

#3 /mypath/mywebsite/system/libraries/Controller.php(971): FTP->chmod('system/html/Man...', 420)

it looks like controller.php is trying to change the permissions on images in the system/html folder.

But i'm still not sure why the user and password need to be in any error message.

BTW: Refreshing the page several times, seems to make the error go away - even though I have removed my login information from localconfig.php until I find out what's going on.

Xeberdee.

**xchs** · 11/12/2010, 16:32

Originally Posted by xeberdee

Each page on the website with images in news items is trying to connect via ftp - I can't imagine why that would be the case

Are you using the Safe Mode Hack (SMH)? If so, then obviously Contao tries to connect via FTP to write the preview images (/system/html) for your news items!

Check your FTP credentials in your local configuration file "localconfig.php"!

**xeberdee** · 11/12/2010, 19:35

obviously Contao tries to connect via FTP to write the preview images (/system/html) for your news items!

did you bother to read my post! I go on to say! 'except... it looks like controller php'

I don't need to look at my ftp login information in the config because it's not there anymore - and obviously won't be unless I can find out why it got read from the file and shown on the front end!

**winanscreative** · 11/16/2010, 04:06

Directly from a PHP.ini file:

; - display_errors = Off [Security]
; With this directive set to off, errors that occur during the execution of
; scripts will no longer be displayed as a part of the script output, and thus,
; will no longer be exposed to remote users. With some errors, the error message
; content may expose information about your script, web server, or database
; server that may be exploitable for hacking. Production sites should have this
; directive set to off

Turn your "Display Errors" setting to "off" in your localconfig.php file. It should never be "on" for a production site. That's why Contao has its own error message screen that you can customize.

Xchs is right. The controller is trying to resize an image and cache it in system/html, and it uses functions/settings from FTP.php and your localconfig.php file to do so.