Variables from my .env are shown on error - security

I just started using laravel's lumen and managed to make it work both locally and on a server, when I was about to start exploring it, my index.php consisted in just:
$app = require __DIR__."/../lumenTest/bootstrap/app.php";
$app->run($app->make('request'));
echo $myundefinedvariable;
Which displays a ErrorException: Undefined variable: myundefinedvariable, but inside the "...at Application->Laravel\Lumen\Concerns{closure}" window I can see a giant wall of text with stuff like:
... 'APP_KEY' => 'fake0BqKgHeC72EmT7039B6pDCsJ90key' , ..., 'DB_PASSWORD' => 'secret', ...
And my first thoughts were, maybe it is because im running it localy with XAMPP or something, so I went and tried it on the server and the same thing happened.
Is it normal that sensitive data from my .env file gets shown to everyone after doing any php error?
Is there a way to avoid this happening? (different than not having any PHP errors, because I tend to have them a lot).
Additional info:
PHP version 7.1.12
Lumen (5.6.1) (Laravel Components 5.6.*)
The directory "lumenTest" is one level above my www or public and there is where the .env is located, the site is on a Linux server shared host

No, that's not normal. Professional developers consider this an amaturistic behavior. That's the exact reason why companies don't even consider using Laravel.
Many people (including me) already notified them that this is really not-done, but the developers don't really seem to care. In fact it's the only framework in the world that thinks it's OK to print critical information in a debug page. Surely a visitor should never see stack traces, sql queries, pieces of code... But environment variables are confidential and should never end up in a HTTP response.
The best advice I have is to use a professional MVC framework like ASP.net, codeigniter, or yii, since there's no telling what the Laravel devs also think is OK to do...
If on the other hand you do decide to use Laravel anyway, there's a package that counters this: https://github.com/GlaivePro/Hidevara
It's real easy to setup, just make sure you don't forget the app->extend instruction.
On a production server you must not run "composer install" but instead "composer instal --no-dev". This way filp/whoops will (should, hopefully) not be installed and cannot be triggered.
For professional development, i surely recommend not to use Laravel since the bar of what they think is acceptable seems to be very low.
As a sidenote: the developers claim that nothing can go wrong when APP_DEBUG=false, but incidents in the past have shown that the whoops handler can be triggered when debug mode is disabled. https://www.google.com/amp/s/blog.hacken.io/dangers-of-laravel-debug-mode-enabled%3fhs_amp=true

Yes, if you have debug mode enabled, any sort of data relating to an error can be displayed. This certainly would include sensitive data that would be useful when debugging.
For production, you want all errors to be privately logged, not publicly displayed. For this reason, you will want debug=false in your .env file.
If this is happening while debug mode is already set to false, you will want to configure the hiding/logging of errors at the server level.

Related

Trivial Node.js via Passenger on DreamHost - Permission Denied

I tried setting up a do-nothing Node app, and it failed.
I developed some Node.js code offline in containers. I now want to try deploying it on DreamHost. I am doing it incrementally, adding features one by one. Starting with “Hello World” and going from there.
I set up a new subdomain and enabled Passenger. I was able to serve up an index.html file. I followed https://help.dreamhost.com/hc/en-us/articles/360029083351-Installing-a-custom-version-of-NVM-and-Node-js and installed Node and nvm (using the versions recommended in that artcle). I then installed a few packages I plan to use (most notably Express, the rest won’t come into play until later).
With just a Hello World app, that failed. The error message is below. But, I checked all the relevant files and they all have global read and execute permissions. I’m wondering if it is something else. I tried multiple Hello World examples for app.js, copied directly from different tutorials, none of which worked (but they do work locally). My more complex code also does not work, but that is the next step.
What am I missing? I followed the directions exactly. What other landmines do I have to look forward to? I really don’t want to spend time wrestling with infrastructure, I want it to “just work”, ideally.
An error occurred while starting the web application. It exited before signalling successful startup back to Phusion Passenger. Please read this article for more information about this problem.
Raw process output:
*** ERROR ***: Cannot execute /home/<user name>/.nvm/versions/node/v12.16.3: Permission denied (13)
Unclear what solved the issue.
Ran through changing the permissions on the files, as would seem obvious. Changed '/home/<user name>/.nvm/versions/node/v12.16.3' to '/home/<user name>/.nvm/versions/node/v12.16.3/bin/node' in the .htaccess file. Neither of those seemed to solve it.
Repeated the process again later. Followed it by `touch <webapp directory>/tmp/restart.txt' and it started working. I had been editing files in the web app's directory, so it isn't clear what touching that file did.

Which files required for qt 5.4 qwebchannel linux deployment?

All,
Have a QtWebEngine based application which uses all local html and javascript files. When deploying this to a test environment the Web page comes up and is navigable, but, webchannel based things aren't working. Everything is fine on development. Problem only happens on deployment to test machine.
This is a self contained .deb which installs creating a user and is meant to bring everything along with it. While it is running on a desktop, there is no network connection, everything is inside.
That said, if "everything" was inside the webchannel would be working. Does anyone have a link identifying what external pieces webchannel requires? There are only two oddities starting up on the target.
[0629/132921:WARNING:resource_bundle.cc(286)] locale_file_path.empty()
[0629/132921:WARNING:resource_bundle.cc(286)] locale_file_path.empty()
Trust me, I've surfed for that. There are thousands of posts flagging resource_bundle.cc throwing local_file_path.empty() errors at all kinds of lines and nothing offered as a solution. I am making the grand assumption when webchannel supporting files are identified and placed/pointed to, these will go away and life will be good.
qwebchannel.js is deployed, but, maybe there is an environment variable I need to set? the index.html file references qwebchannel.js exactly where it is.
Anyone have the list/link of what files are required when deploying something using qwebchannel.js? It isn't throwing up an error which identifies much.
Thanks,

How can I test whether jmx-console.war is being used in JBoss 4.2.2?

There is a file within the .\jboss-4.2.2.GA\server\default\deploy folder, named "jmx-console.war". I am getting a security vulnerability dealing with this module. How can I tell if our application is using this module. I implemented an open source tool, but I'm not sure how to test whether it's being used.
Nessus vulnerability of High Severity:
JBoss JMX Console Unrestricted Access
http://www.tenable.com/plugins/index.php?view=single&id=23842
If you see that war file in the deploy folder, then most likely your application is using it. That is to say, it is most likely being loaded. It should be fairly easy to test for, assuming you know the HTTP port the JBoss instance is listening on. By default, it is 8080 so point your browser to http://[your jboss host]:8080/jmx-console and see if the console comes up, keeping in mind that it might be password protected, and your HTTP port might not be 8080.
You should also see something like this in the server.log or configured equivalent:
11:52:30,165 INFO main [TomcatDeployer] deploy, ctxPath=/jmx-console,
warUrl=.../deploy/jmx-console.war/
Having said that, there's a couple of ways I can think of that would indicate or cause the jmx-console to not be deployed:
The folder you referenced is in the default server directory. This is only one instance out of 3 (default, all, minimal) and you may be running one of the others, or even a custom configured server. That is to say, if you were running the minimal server instance, or one that did not contain the jmx-console.war, then the presence of that file in the default server's deploy directory would not cause it to be deployed in another server's instance. (that all sounds more complicated than it really is)
War files in the deploy directory depend on another directory called jboss-web.deployer which actually deploys war files. If that directory is not there, my guess is that war deployment has been disabled. Highly unlikely though, as there are easier ways of doing this, and if someone went to the trouble of removing this folder, they probably would have removed the wars too.
Bottom line is, the easiest way would be to find the http port, then hit the jmx-console URL and see if it responds, or check the log file. It is conceivable that someone could rename jmx-console.war to something else (in an ill-conceived attempt to hide it perhaps ?) in which case, you would need to execute a battery of http request scans and try and find a jmx-console signature, but that's out of my (otherwise quite large...) area of expertise.

Unable to run a .Net website locally using the System.Web.Security namespace

I took over this 4.0 webforms website and got the exact same code from the former developer.
It runs fine on his local machine, but it craps out on my local machine having anything to do with the “System.Web.Security” namespace.
If I put a breakpoint where it is failing and try to fall into the code for that namespace, it won't let me go any further. It just simply will not execute anything to do with the namespace. This happens with all of the three major browsers
Since this forum does not allow any attachments, I can't show you anything more.
Does anybody have any ideas what is wrong?
Turned out to be a simple permissions issue on our end not allowing my id to have access to the database.

Drupal menu items and blog entries disappeared for anonymous users

I've been struggling with a problem now for a few hour and I cannot find any answers or anyone with the same problem -
Some menu items are missing on my site www.namhost.com (Drupal 6.22) and when viewing the blog it shows "No blog entries have been created". When I log in as admin everything works fine, so this problem only occurs for anonymous/guest users.
I've changed nothing on the site which may have caused this problem and here comes the really strange part - When viewing a copy of the site locally everything works 100% even for anonymous/guest users.
I've tried:
flushing caches
rebuilding permissions
checked if the "anonymous" user is present in the database
viewing on different browsers
None of these yielded any results.
Because the problem doesn't occur locally I'm starting to believe this could be a problem on the server the site is hosted on (Linux with PHP5.2), but the admins had a look and couldn't find anything.
Any help/insight would be highly appreciated.
================FIXED<<<<<<<-----------------------------
I am not allowed to answer my own question and it was suggested that I edit the question to include my answer so here goes:
Firstly, thanks for all the responses.
I disabled the "ACL" module (http://drupal.org/project/acl) and the problem was solved. It was previously used for our forum which was also disabled a few months back, so it's not needed any more.
I still have no idea why this module caused the site to work locally but not on the server. I will be in contact with the server admins to find out if they changed/updated anything on the server which may have caused this module to cause a malfunction.
Any insight could still be helpful top prevent this from happening again.
Check your Drupal config:
Are you using node_access, content_access, or any other permissions-related addon mods? Disable them and see if the problem persists. If that doesn't work, disable all non-core mods and re-enable them one-at-a-time until you find the offender.
Compare your hosting configs:
If it's not related to Drupal, compare the local and remote server configurations. Do both use the same versions of php, apache, apc, cgi, etc.? A phpinfo(); on both servers should give you the most important details for comparison. Do a similar comparison of the MySQL setup and content. Finally, check for differences in your .htaccess files (if any) between the two locations.
Test another hosting enviornment:
Download a virtual appliance like QuickStart which is already configured to host Drupal sites for development and non-production purposes, and see if the site works correctly in that. If it does, you could do an additional validation by porting to a new host who offers a trial/money-back-guarantee and see if it works correctly there.
If your site works fine elsewhere, give your current host a good thrashing for making you go through all of this to figure out the problem lies on their end.

Resources