Bug 572161 - Some staging website is exposed.
Summary: Some staging website is exposed.
Status: CLOSED MOVED
Alias: None
Product: Community
Classification: Eclipse Foundation
Component: Website (show other bugs)
Version: unspecified   Edit
Hardware: PC Windows 10
: P3 normal (vote)
Target Milestone: ---   Edit
Assignee: Jakub Mazanek CLA
QA Contact:
URL:
Whiteboard:
Keywords: security
Depends on:
Blocks:
 
Reported: 2021-03-22 04:35 EDT by KENTA YAMAMOTO CLA
Modified: 2021-12-23 06:47 EST (History)
5 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description KENTA YAMAMOTO CLA 2021-03-22 04:35:19 EDT 
Hello.

The following domains should be supposed to be access controlled, but appear to be accessible to everyone.

http://staging.eclipse.org
https://accounts-staging.eclipse.org/user

I accessed the following URL using HTTPS, they request authentication.
https://staging.eclipse.org

I'm not sure which the correct behavior, but I recommend checking the settings.
Also, I found API server responsed SQL error.

https://api-staging.eclipse.org/account/profile/[MYPROFILEID]/forum?page=1&pagesize=10

=======
<h1>Uncaught exception thrown in session handler.</h1><p>PDOException: SQLSTATE[42S02]: Base table or view not found: 1146 Table &amp;#039;dev_fud_eclipse.fud_sessions&amp;#039; doesn&amp;#039;t exist: SELECT 1 AS expression
FROM 
{sessions} sessions
WHERE ( (sid = :db_condition_placeholder_0) AND (ssid = :db_condition_placeholder_1) ); Array
(
    [:db_condition_placeholder_0] =&amp;gt; [MYSESSIONID]
    [:db_condition_placeholder_1] =&amp;gt; [MYSESSIONID]
)
 in _drupal_session_write() (line 209 of /localsite/api-staging.eclipse.org/includes/session.inc).</p><hr />

======

This is also a staging server, so it's a natural behavior. However, this gives attacker hints to crack and so should be access controlled.

regards.
Comment 1 Christopher Guindon CLA 2021-03-22 09:30:16 EDT 
These staging servers are blocked by HTTP auth but we make the username/password public.

This is a safe-guard to stop Google from indexing the staging sites.

We sometimes enable the PHP errors on staging for debugging. However, I expect my colleagues to turn it off once done.
Comment 2 Christopher Guindon CLA 2021-03-22 09:34:56 EDT 
I've asked a colleague to review all our drupal sites this week and make sure that all error_reporting is off for all of them.
Comment 3 KENTA YAMAMOTO CLA 2021-03-22 20:31:09 EDT 
I am mentioning that HTTP authentication is not applied in the following URL. I found this in Google's index.

http://staging.eclipse.org 
https://accounts-staging.eclipse.org/user

With HTTPS, access is blocked by HTTP auth.
https://staging.eclipse.org
Comment 4 Denis Roy CLA 2021-06-10 09:42:36 EDT 
(In reply to KENTA YAMAMOTO from comment #3)
> I am mentioning that HTTP authentication is not applied in the following
> URL. I found this in Google's index.
> 
> http://staging.eclipse.org 
> https://accounts-staging.eclipse.org/user
> 
> With HTTPS, access is blocked by HTTP auth.
> https://staging.eclipse.org

@jakub could you take a stab at creating a patch for this?
Comment 5 Frederic Gurr CLA 2021-12-23 06:47:15 EST 
This issue has been migrated to https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/issues/577.