Community
Participate
Working Groups
Hello. The following domains should be supposed to be access controlled, but appear to be accessible to everyone. http://staging.eclipse.org https://accounts-staging.eclipse.org/user I accessed the following URL using HTTPS, they request authentication. https://staging.eclipse.org I'm not sure which the correct behavior, but I recommend checking the settings. Also, I found API server responsed SQL error. https://api-staging.eclipse.org/account/profile/[MYPROFILEID]/forum?page=1&pagesize=10 ======= <h1>Uncaught exception thrown in session handler.</h1><p>PDOException: SQLSTATE[42S02]: Base table or view not found: 1146 Table &#039;dev_fud_eclipse.fud_sessions&#039; doesn&#039;t exist: SELECT 1 AS expression FROM {sessions} sessions WHERE ( (sid = :db_condition_placeholder_0) AND (ssid = :db_condition_placeholder_1) ); Array ( [:db_condition_placeholder_0] =&gt; [MYSESSIONID] [:db_condition_placeholder_1] =&gt; [MYSESSIONID] ) in _drupal_session_write() (line 209 of /localsite/api-staging.eclipse.org/includes/session.inc).</p><hr /> ====== This is also a staging server, so it's a natural behavior. However, this gives attacker hints to crack and so should be access controlled. regards.
These staging servers are blocked by HTTP auth but we make the username/password public. This is a safe-guard to stop Google from indexing the staging sites. We sometimes enable the PHP errors on staging for debugging. However, I expect my colleagues to turn it off once done.
I've asked a colleague to review all our drupal sites this week and make sure that all error_reporting is off for all of them.
I am mentioning that HTTP authentication is not applied in the following URL. I found this in Google's index. http://staging.eclipse.org https://accounts-staging.eclipse.org/user With HTTPS, access is blocked by HTTP auth. https://staging.eclipse.org
(In reply to KENTA YAMAMOTO from comment #3) > I am mentioning that HTTP authentication is not applied in the following > URL. I found this in Google's index. > > http://staging.eclipse.org > https://accounts-staging.eclipse.org/user > > With HTTPS, access is blocked by HTTP auth. > https://staging.eclipse.org @jakub could you take a stab at creating a patch for this?
This issue has been migrated to https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/issues/577.