Search…

X3 Photo Gallery Support Forums

Search…
 
seldor
Topic Author
Posts: 8
Joined: 24 Oct 2022, 15:27

diagnostics should only be accessible for logged-in users

13 Nov 2022, 08:46

I've just found out by chance, that the diagnostics page can be accessed unauthorized, by everyone. This should only be possible when enabled in the config or the user is logged-in.

The page gives away info that should not be accessible for everyone.
Interestinly, your own page shows a slightly different page (with less info) than mine: https://www.mjau-mjau.com/?diagnostics=true
 while mine also shows the PHP Version, extensions, open basedir etcetc, even though I have disabled the diagnostics entirely in the settings - therefore I would expect that they are never shown, especially not to unauthenticated users since they might contain sensitive information (noone is supposed to see my open basedir, php version or whatever).

Thanks
Matt
 
User avatar
mjau-mjau
X3 Wizard
Posts: 13993
Joined: 30 Sep 2006, 03:37

Re: diagnostics should only be accessible for logged-in users

13 Nov 2022, 10:47

Ok, so the simple fix for this would be to open index.php, and simply add "exit()":
Code
if(X3Config::$config["settings"]["diagnostics"] || isset($_GET["diagnostics"])) {
  exit();
  ..
Matt wrote:they might contain sensitive information (noone is supposed to see my open basedir, php version or whatever)
I won't argue, because every website-owner is entitled to "paranoid"-level security. I would have to note, in reality, there is nothing anyone can make out of PHP version in the days of modern PHP, unless you have some truly insecure apps running on your server (in which case, they shouldn't be there in the first place). And basedir is irrelevant, as it would require PHP write access in the first place to achieve anything ... Just saying, but of course, one can't argue maximum security.
Matt wrote:Interestinly, your own page shows a slightly different page (with less info) than mine: https://www.mjau-mjau.com/?diagnostics=true
There are TWO reasons for this, one which you might find useful.

1. First of all, my X3 websites are pre-configured via Apache config (without using ".htaccess"), which kinda implies that the config is already correct and does not require diagnosing. You could do this yourself:
https://gist.github.com/mjau-mjau/f4acd ... 13a9ff488e Apache
https://gist.github.com/mjau-mjau/6dc19 ... e566a8457b Nginx

2. There are a couple of options you can apply in Apache config. X3_SERVER_CONFIG on basically means "don't check, this server is configured successfully". X3_HIDE_DIAGNOSTICS On means hide extended info (beyond the diagnostics that checks that folders are writeable etc). I'm not 100% sure that this can be used in a ".htaccess" file.
Code
<Directory ${DOCUMENT_ROOT}>
  SetEnv X3_SERVER_CONFIG On
  SetEnv X3_HIDE_DIAGNOSTICS On
  ..
https://gist.github.com/mjau-mjau/b8fe3 ... 194706e6f5
Matt wrote:even though I have disabled the diagnostics entirely in the settings - therefore I would expect that they are never shown
The point of "show diagnostics" (enabled by default), is to run maintenance and make sure everything is working, immediately after installation. When all is good, "show diagnostics" can be disabled, effectively enabling the X3 website. Un-checking "show diagnostics" does not effectively disable diagnostics, as this is used a lot by users and myself to provide support to users.

There could perhaps be an option for this, but this is not how it currently works. Thanks for reporting! For now, you will need to use one of the possible solutions above.
 
seldor
Topic Author
Posts: 8
Joined: 24 Oct 2022, 15:27

Re: diagnostics should only be accessible for logged-in users

13 Nov 2022, 11:11

Hi Karl
Thanks for your reply. Yes, maybe I'm a bit paranoid, but since I'm working in the security business, I see every information that noone should have access to about your server as very relevant and just unnecessary to leak.
I've now followed your advice and uncommented the already present block in the root's .htaccess:
Code
<IfModule mod_env.c>
    SetEnv X3_HIDE_DIAGNOSTICS On
</IfModule>
Maybe also the checkbox description in the settings is a bit misleading - I always thought of 'Show X3 Diagnostics' to just enable this feature. But instead it kinda replaces the whole website with the diagnostics (plus does some more work like creating folders, apparently). Maybe this could be made clearer and a second checkbox like 'Show extended diagnostics' might be added which enables/disables just this details (like the env variable above)...
Thanks for your consideration
Matt
 
User avatar
mjau-mjau
X3 Wizard
Posts: 13993
Joined: 30 Sep 2006, 03:37

Re: diagnostics should only be accessible for logged-in users

13 Nov 2022, 22:42

Thanks for the suggestions. Yes, a future version should definitely have the option to not display server info public.