Results 1 to 8 of 8

Thread: Revealing passwords

  1. #1
    New user
    Join Date
    02-26-10.
    Posts
    18

    Default Revealing passwords

    After updating my site I noticed after about a week errors turning up in sections (news). The error page suggested putting the add global errors section to the config file. I did so and the errors looked like this....

    Warning: ftp_login():Login incorrect. in /mypath/mywebsite/system/libraries/FTP.php on line 108
    #0[internal function]: __error(2, 'ftp_login(): Lo...', '/mypath/mywebsite/...', 108, Array)
    #1 /mypath/mywebsite/system/libraries/FTP.php(108): ftp_login(Resource id #230, 'MY_FTP_USER', 'MY_FTP_PASSWORD')
    #2 /mypath/mywebsite/system/libraries/FTP.php(287): FTP->connect()
    #3 /mypath/mywebsite/system/libraries/Controller.php(971): FTP->chmod('system/html/Man...', 420)
    #4 /mypath/mywebsite/system/libraries/Controller.php(2651): Controller->getImage('tl_files/mediet...', '156', '156', NULL)
    #5 /mypath/mywebsite/system/modules/news/ModuleNews.php(174): Controller->addImageToTemplate(Object(FrontendTemplate), Array)
    #6 /mypath/mywebsite/system/modules/news/ModuleNewsList.php(145): ModuleNews->parseArticles(Object(DB_Mysql_Result))
    #7 /mypath/mywebsite/system/modules/frontend/Module.php(129): ModuleNewsList->compile()
    #8 /mypath/mywebsite/system/modules/news/ModuleNewsList.php(77): Module->generate()
    #9 /mypath/mywebsite/system/modules/frontend/ContentModule.php(72): ModuleNewsList->generate()
    #10 /mypath/mywebsite/system/libraries/Controller.php(415): ContentModule->generate()
    #11 /mypath/mywebsite/system/modules/frontend/ModuleArticle.php(173): Controller->getContentElement('160')
    #12 /mypath/mywebsite/system/modules/frontend/Module.php(129): ModuleArticle->compile()
    #13 /mypath/mywebsite/system/modules/frontend/ModuleArticle.php(71): Module->generate()
    #14 /mypath/mywebsite/system/libraries/Controller.php(348): ModuleArticle->generate(false)
    #15 /mypath/mywebsite/system/libraries/Controller.php(221): Controller->getArticle('59', false, false, 'main')
    #16 /mypath/mywebsite/system/modules/frontend/PageRegular.php(71): Controller->getFrontendModule('0', 'main')
    #17 /mypath/mywebsite/index.php(198): PageRegular->generate(Object(DB_Mysql_Result))
    #18 /mypath/mywebsite/index.php(329): Index-


    I'm wondering and worried if it's a good idea to reveal the username and password in plain text - I guess if I changed my password only then the script would actually reveal my current username, and if I changed my username but used the same password then it would reveal the current password.

    I would much rather see ******** instead of MYPASSWORD.

    ----

  2. #2
    imported_Nina
    Gast

    Default Re: Revealing passwords

    Hm, I've never seen that before. I'll show this to Leo, so that he can tell you if that behaviour is coming from your Server or if that really happens in Contao. Thanks for mentioning it!

  3. #3
    User
    Join Date
    06-29-09.
    Posts
    271

    Default Re: Revealing passwords

    By default Contao shows no error messages, this has been manually enabled in the localconfig file. (sorry for not seeing this was mentioned in the original post already)

    Making sure an SQL errormessage does not contain a password would seem a bit hard unless the passwords can be stored in some encrypted way or something. But let's leave that up to Leo :P

  4. #4
    New user
    Join Date
    02-26-10.
    Posts
    18

    Default Re: Revealing passwords

    Yes - like I said I enabled global error messages in the config file.

    On investigating further, I can see that it has to do with news items images - each page on the website with images in news items is trying to connect via ftp - I can't imagine why that would be the case - except...


    #3 /mypath/mywebsite/system/libraries/Controller.php(971): FTP->chmod('system/html/Man...', 420)

    it looks like controller.php is trying to change the permissions on images in the system/html folder.

    But i'm still not sure why the user and password need to be in any error message.

    BTW: Refreshing the page several times, seems to make the error go away - even though I have removed my login information from localconfig.php until I find out what's going on.


    Xeberdee.

  5. #5
    Community-Moderator xchs's Avatar
    Join Date
    06-20-09.
    Posts
    1,292

    Default Re: Revealing passwords

    Quote Originally Posted by xeberdee
    Each page on the website with images in news items is trying to connect via ftp - I can't imagine why that would be the case
    Are you using the Safe Mode Hack (SMH)? If so, then obviously Contao tries to connect via FTP to write the preview images (/system/html) for your news items!

    Check your FTP credentials in your local configuration file "localconfig.php"!
    Contao Community Moderator
    → Support options

  6. #6
    New user
    Join Date
    02-26-10.
    Posts
    18

    Default Re: Revealing passwords

    obviously Contao tries to connect via FTP to write the preview images (/system/html) for your news items!
    did you bother to read my post! I go on to say! 'except... it looks like controller php'

    I don't need to look at my ftp login information in the config because it's not there anymore - and obviously won't be unless I can find out why it got read from the file and shown on the front end!

  7. #7
    User winanscreative's Avatar
    Join Date
    06-21-09.
    Location
    Massachusetts, United States
    Posts
    261

    Default Re: Revealing passwords

    Directly from a PHP.ini file:

    ; - display_errors = Off [Security]
    ; With this directive set to off, errors that occur during the execution of
    ; scripts will no longer be displayed as a part of the script output, and thus,
    ; will no longer be exposed to remote users. With some errors, the error message
    ; content may expose information about your script, web server, or database
    ; server that may be exploitable for hacking. Production sites should have this
    ; directive set to off
    Turn your "Display Errors" setting to "off" in your localconfig.php file. It should never be "on" for a production site. That's why Contao has its own error message screen that you can customize.

    Xchs is right. The controller is trying to resize an image and cache it in system/html, and it uses functions/settings from FTP.php and your localconfig.php file to do so.

  8. #8
    Core developer
    Official Contao Team
    leo's Avatar
    Join Date
    06-04-09.
    Location
    Wuppertal, Germany
    Posts
    201

    Default Re: Revealing passwords

    Quote Originally Posted by xeberdee
    But i'm still not sure why the user and password need to be in any error message.
    The error message (the stack trace) is generated by PHP, so that is nothing we could influence.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •