i work at a company certified to the PCI/DSS standard (security standard), and so security is crucial for us.
During our last security audit, it has been found that AMFPHP sends a bit more information than we'd like.
Ex :
You can set the error handling level in the Gateway.php file; in addition to this you can also disable PHP errors in the php.ini file by setting "display_errors=Off"
If that's not enough, I would suggest overriding the class that sends back these errors messages (I believe it's VerboseException.php and filter out unwanted information.
Does that help you?
Cheers
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
// $results->faultDetail = $exception->details . ' on line ' . $exception->line;$results->faultString=$exception->description;
The best way is to comment also the second line, as filenames can also appear there. But i sometimes used faultString in my code. That's probably a bad practice, so i'll try to rely on faultCode rather than on faultString in the future, or maybe change my exception handling.
So, i changed core/shared/app/BasicActions.php
$ex=newMessageException(E_USER_ERROR,"The classpath folder {} does not exist. You probably misplaced your service.",__FILE__,__LINE__,"AMFPHP_CLASSPATH_NOT_FOUND");...$ex=newMessageException(E_USER_ERROR,"The class {".$amfbody->className."} could not be found under the class path {}",__FILE__,__LINE__,"AMFPHP_FILE_NOT_FOUND");
With this, i think there are no more sensitive information displayed to the public.
I think it would be nice to make those security issues more easily configurable for anybody.
Maybe those error messages shouldn't be displayed when disableDebug() is set ?
If you want, i'm willing to help.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Sorry for the delayed response…
That's a really good idea, thanks! I'll throw it into the issue tracker for amfPHP 2.0 as well as my other open-source project using amfPHP - Aerial Framework.
Thanks for taking the time to fix this - it's much appreciated!
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hello,
i work at a company certified to the PCI/DSS standard (security standard), and so security is crucial for us.
During our last security audit, it has been found that AMFPHP sends a bit more information than we'd like.
Ex :
So, by injecting a non existant method, the attacker can have information about the paths on the server. And that's not really cool.
So, is there a way to change this ?
PRODUCTION_SERVER is already at TRUE.
Hi there
You can set the error handling level in the Gateway.php file; in addition to this you can also disable PHP errors in the php.ini file by setting "display_errors=Off"
If that's not enough, I would suggest overriding the class that sends back these errors messages (I believe it's VerboseException.php and filter out unwanted information.
Does that help you?
Cheers
Thanks for your answer.
So, here is the changes I made to my config :
gateway.php
This doesn't seem to have changed anything (?)
core/shared/exception/MessageException.php
The best way is to comment also the second line, as filenames can also appear there. But i sometimes used faultString in my code. That's probably a bad practice, so i'll try to rely on faultCode rather than on faultString in the future, or maybe change my exception handling.
So, i changed core/shared/app/BasicActions.php
With this, i think there are no more sensitive information displayed to the public.
I think it would be nice to make those security issues more easily configurable for anybody.
Maybe those error messages shouldn't be displayed when disableDebug() is set ?
If you want, i'm willing to help.
Hi Fabian
Sorry for the delayed response…
That's a really good idea, thanks! I'll throw it into the issue tracker for amfPHP 2.0 as well as my other open-source project using amfPHP - Aerial Framework.
Thanks for taking the time to fix this - it's much appreciated!