Page MenuHomePhabricator
Create Task
Maniphest T9096

Backtrace should not include parameters as they may contain private data
Closed, ResolvedPublic
Actions

Description

Author: nat

Description:
Stoping the database (MySQL 5.0, Debian testing) server during an operation
raises an exception which dumps various informations to the visitor's browser.
Among them:

  • the database name
  • the corresponding login and password

It reveals secrets, albeit $wgShowSQLErrors=false;

The URL provided leads to the dump (slightly edited)

Thank you

Version: 1.8.x
Severity: critical
OS: Linux
Platform: PC
URL: http://www.linux-france.org/MW_db_err.html

Details

Reference
bz7096

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 9:27 PM
bzimport added a project: MediaWiki-libs-Rdbms.
bzimport set Reference to bz7096.
bzimport added a subscriber: Unknown Object (MLST).
bzimport created this task.Aug 22 2006, 10:04 PM
bzimport added a comment.Oct 21 2006, 6:33 PM

nat wrote:

Fixed under 1.8.2 (but $wgShowSQLErrors seems useless now)

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL