Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

2.1.5 Security Issue on Place Admin #4471

Closed
FrankWarius opened this issue Jun 10, 2022 · 8 comments
Closed

2.1.5 Security Issue on Place Admin #4471

FrankWarius opened this issue Jun 10, 2022 · 8 comments

Comments

@FrankWarius
Copy link

from Website logs; 2022-06-10 01:59:44 | error | 138.201.11.237 | none | none

no no more Website logs entries for 138.201.11.237 but IIS log entries. No user was logiged n at this time

how could this happen?

IIS Log Error
2022-06-09 23:59:44 85.214.164.127 GET /index.php - 443 - 138.201.11.237 Mozilla/5.0+(X11;+Linux+x86_64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/87.0.4280.67+Safari/537.36 - 500 0 0 2815

Website logs error:
SQLSTATE[23000]: Integrity constraint violation: 1062 Duplicate entry '23643-2-Ahrensbök' for key 'ux1' (SQL: insert into wt2_places (p_file, p_place, p_parent_id, p_std_soundex, p_dm_soundex) values (2, Ahrensbök, 23643, A652, 059647:096475)) …\vendor\illuminate\database\Connection.php:712 #0 …\vendor\illuminate\database\Connection.php(672): Illuminate\Database\Connection->runQueryCallback('insert into wt...', Array, Object(Closure)) #1 …\vendor\illuminate\database\Connection.php(502): Illuminate\Database\Connection->run('insert into wt...', Array, Object(Closure)) #2 …\vendor\illuminate\database\Connection.php(454): Illuminate\Database\Connection->statement('insert into wt...', Array) #3 …\vendor\illuminate\database\Query\Builder.php(2980): Illuminate\Database\Connection->insert('insert into wt...', Array) #4 …\app\Place.php(141): Illuminate\Database\Query\Builder->insert(Array) #5 …\app\Cache.php(60): Fisharebest\Webtrees\Place->Fisharebest\Webtrees{closure}() #6 …\vendor\symfony\cache\Adapter\ArrayAdapter.php(84): Fisharebest\Webtrees\Cache::Fisharebest\Webtrees{closure}(Object(Symfony\Component\Cache\CacheItem), true) #7 …\app\Cache.php(61): Symfony\Component\Cache\Adapter\ArrayAdapter->get('07582e21abab4d6...', Object(Closure)) #8 …\app\Place.php(148): Fisharebest\Webtrees\Cache->remember('place-Ahrensb\xC3\xB6...', Object(Closure)) #9 …\app\Place.php(223): Fisharebest\Webtrees\Place->id() #10 …\app\Place.php(300): Fisharebest\Webtrees\Place->url() #11 …\resources\views\lists\individuals-table.phtml(328): Fisharebest\Webtrees\Place->shortName(true) #12 …\app\View.php(183): include('D:\Web\WT21 Pro...') #13 …\app\View.php(278): Fisharebest\Webtrees\View->render() #14 …\app\Helpers\functions.php(145): Fisharebest\Webtrees\View::make('lists/individua...', Array) #15 …\resources\views\record-page-links.phtml(117): view('lists/individua...', Array) #16 …\app\View.php(183): include('D:\Web\WT21 Pro...') #17 …\app\View.php(278): Fisharebest\Webtrees\View->render() #18 …\app\Helpers\functions.php(145): Fisharebest\Webtrees\View::make('record-page-lin...', Array) #19 …\resources\views\record-page.phtml(55): view('record-page-lin...', Array) #20 …\app\View.php(183): include('D:\Web\WT21 Pro...') #21 …\app\View.php(278): Fisharebest\Webtrees\View->render() #22 …\app\Helpers\functions.php(145): Fisharebest\Webtrees\View::make('record-page', Array) #23 …\app\Http\ViewResponseTrait.php(50): view('record-page', Array) #24 …\app\Http\RequestHandlers\SourcePage.php(90): Fisharebest\Webtrees\Http\RequestHandlers\SourcePage->viewResponse('record-page', Array) #25 …\app\Http\Middleware\RequestHandler.php(54): Fisharebest\Webtrees\Http\RequestHandlers\SourcePage->handle(Object(Nyholm\Psr7\ServerRequest)) #26 …\vendor\oscarotero\middleland\src\Dispatcher.php(136): Fisharebest\Webtrees\Http\Middleware\RequestHandler->process(Object(Nyholm\Psr7\ServerRequest), Object(Middleland\Dispatcher)) #27 …\app\Module\HitCountFooterModule.php(154): Middleland\Dispatcher->handle(Object(Nyholm\Psr7\ServerRequest)) #28 …\vendor\oscarotero\middleland\src\Dispatcher.php(136): Fisharebest\Webtrees\Module\HitCountFooterModule->process(Object(Nyholm\Psr7\ServerRequest), Object(Middleland\Dispatcher)) #29 …\app\Module\CheckForNewVersion.php(115): Middleland\Dispatcher->handle(Object(Nyholm\Psr7\ServerRequest)) #30 …\vendor\oscarotero\middleland\src\Dispatcher.php(136): Fisharebest\Webtrees\Module\CheckForNewVersion->process(Object(Nyholm\Psr7\ServerRequest), Object(Middleland\Dispatcher)) #31 …\app\Http\Middleware\CheckCsrf.php(80): Middleland\Dispatcher->handle(Object(Nyholm\Psr7\ServerRequest)) #32 …\vendor\oscarotero\middleland\src\Dispatcher.php(136): Fisharebest\Webtrees\Http\Middleware\CheckCsrf->process(Object(Nyholm\Psr7\ServerRequest), Object(Middleland\Dispatcher)) #33 …\vendor\oscarotero\middleland\src\Dispatcher.php(118): Middleland\Dispatcher->handle(Object(Nyholm\Psr7\ServerRequest)) #34 …\app\Webtrees.php(275): Middleland\Dispatcher->dispatch(Object(Nyholm\Psr7\ServerRequest)) #35 …\app\Http\Middleware\Router.php(153): Fisharebest\Webtrees\Webtrees::dispatch(Object(Nyholm\Psr7\ServerRequest), Array) #36 …\vendor\oscarotero\middleland\src\Dispatcher.php(136): Fisharebest\Webtrees\Http\Middleware\Router->process(Object(Nyholm\Psr7\ServerRequest), Object(Middleland\Dispatcher)) #37 …\app\Http\Middleware\BootModules.php(60): Middleland\Dispatcher->handle(Object(Nyholm\Psr7\ServerRequest)) #38 …\vendor\oscarotero\middleland\src\Dispatcher.php(136): Fisharebest\Webtrees\Http\Middleware\BootModules->process(Object(Nyholm\Psr7\ServerRequest), Object(Middleland\Dispatcher)) #39 …\app\Http\Middleware\RegisterGedcomTags.php(54): Middleland\Dispatcher->handle(Object(Nyholm\Psr7\ServerRequest)) #40 …\vendor\oscarotero\middleland\src\Dispatcher.php(136): Fisharebest\Webtrees\Http\Middleware\RegisterGedcomTags->process(Object(Nyholm\Psr7\ServerRequest), Object(Middleland\Dispatcher)) #41 …\app\Http\Middleware\LoadRoutes.php(75): Middleland\Dispatcher->handle(Object(Nyholm\Psr7\ServerRequest)) #42 …\vendor\oscarotero\middleland\src\Dispatcher.php(136): Fisharebest\Webtrees\Http\Middleware\LoadRoutes->process(Object(Nyholm\Psr7\ServerRequest), Object(Middleland\Dispatcher)) #43 …\app\Http\Middleware\CheckForNewVersion.php(65): Middleland\Dispatcher->handle(Object(Nyholm\Psr7\ServerRequest)) #44 …\vendor\oscarotero\middleland\src\Dispatcher.php(136): Fisharebest\Webtrees\Http\Middleware\CheckForNewVersion->process(Object(Nyholm\Psr7\ServerRequest), Object(Middleland\Dispatcher)) #45 …\app\Http\Middleware\UseTransaction.php(45): Middleland\Dispatcher->handle(Object(Nyholm\Psr7\ServerRequest)) #46 …\vendor\illuminate\database\Concerns\ManagesTransactions.php(29): Fisharebest\Webtrees\Http\Middleware\UseTransaction::Fisharebest\Webtrees\Http\Middleware{closure}(Object(Illuminate\Database\MySqlConnection)) #47 …\app\Http\Middleware\UseTransaction.php(46): Illuminate\Database\Connection->transaction(Object(Closure), 3) #48 …\vendor\oscarotero\middleland\src\Dispatcher.php(136): Fisharebest\Webtrees\Http\Middleware\UseTransaction->process(Object(Nyholm\Psr7\ServerRequest), Object(Middleland\Dispatcher)) #49 …\app\Http\Middleware\DoHousekeeping.php(73): Middleland\Dispatcher->handle(Object(Nyholm\Psr7\ServerRequest)) #50 …\vendor\oscarotero\middleland\src\Dispatcher.php(136): Fisharebest\Webtrees\Http\Middleware\DoHousekeeping->process(Object(Nyholm\Psr7\ServerRequest), Object(Middleland\Dispatcher)) #51 …\app\Http\Middleware\UseTheme.php(69): Middleland\Dispatcher->handle(Object(Nyholm\Psr7\ServerRequest)) #52 …\vendor\oscarotero\middleland\src\Dispatcher.php(136): Fisharebest\Webtrees\Http\Middleware\UseTheme->process(Object(Nyholm\Psr7\ServerRequest), Object(Middleland\Dispatcher)) #53 …\app\Http\Middleware\CheckForMaintenanceMode.php(51): Middleland\Dispatcher->handle(Object(Nyholm\Psr7\ServerRequest)) #54 …\vendor\oscarotero\middleland\src\Dispatcher.php(136): Fisharebest\Webtrees\Http\Middleware\CheckForMaintenanceMode->process(Object(Nyholm\Psr7\ServerRequest), Object(Middleland\Dispatcher)) #55 …\app\Http\Middleware\UseLanguage.php(71): Middleland\Dispatcher->handle(Object(Nyholm\Psr7\ServerRequest)) #56 …\vendor\oscarotero\middleland\src\Dispatcher.php(136): Fisharebest\Webtrees\Http\Middleware\UseLanguage->process(Object(Nyholm\Psr7\ServerRequest), Object(Middleland\Dispatcher)) #57 …\app\Http\Middleware\UseSession.php(78): Middleland\Dispatcher->handle(Object(Nyholm\Psr7\ServerRequest)) #58 …\vendor\oscarotero\middleland\src\Dispatcher.php(136): Fisharebest\Webtrees\Http\Middleware\UseSession->process(Object(Nyholm\Psr7\ServerRequest), Object(Middleland\Dispatcher)) #59 …\app\Http\Middleware\UpdateDatabaseSchema.php(57): Middleland\Dispatcher->handle(Object(Nyholm\Psr7\ServerRequest)) #60 …\vendor\oscarotero\middleland\src\Dispatcher.php(136): Fisharebest\Webtrees\Http\Middleware\UpdateDatabaseSchema->process(Object(Nyholm\Psr7\ServerRequest), Object(Middleland\Dispatcher)) #61 …\app\Http\Middleware\UseDatabase.php(118): Middleland\Dispatcher->handle(Object(Nyholm\Psr7\ServerRequest)) #62 …\vendor\oscarotero\middleland\src\Dispatcher.php(136): Fisharebest\Webtrees\Http\Middleware\UseDatabase->process(Object(Nyholm\Psr7\ServerRequest), Object(Middleland\Dispatcher)) #63 …\app\Http\Middleware\BadBotBlocker.php(233): Middleland\Dispatcher->handle(Object(Nyholm\Psr7\ServerRequest)) #64 …\vendor\oscarotero\middleland\src\Dispatcher.php(136): Fisharebest\Webtrees\Http\Middleware\BadBotBlocker->process(Object(Nyholm\Psr7\ServerRequest), Object(Middleland\Dispatcher)) #65 …\app\Http\Middleware\CompressResponse.php(73): Middleland\Dispatcher->handle(Object(Nyholm\Psr7\ServerRequest)) #66 …\vendor\oscarotero\middleland\src\Dispatcher.php(136): Fisharebest\Webtrees\Http\Middleware\CompressResponse->process(Object(Nyholm\Psr7\ServerRequest), Object(Middleland\Dispatcher)) #67 …\app\Http\Middleware\ContentLength.php(40): Middleland\Dispatcher->handle(Object(Nyholm\Psr7\ServerRequest)) #68 …\vendor\oscarotero\middleland\src\Dispatcher.php(136): Fisharebest\Webtrees\Http\Middleware\ContentLength->process(Object(Nyholm\Psr7\ServerRequest), Object(Middleland\Dispatcher)) #69 …\vendor\middlewares\client-ip\src\ClientIp.php(65): Middleland\Dispatcher->handle(Object(Nyholm\Psr7\ServerRequest)) #70 …\app\Http\Middleware\ClientIp.php(47): Middlewares\ClientIp->process(Object(Nyholm\Psr7\ServerRequest), Object(Middleland\Dispatcher)) #71 …\vendor\oscarotero\middleland\src\Dispatcher.php(136): Fisharebest\Webtrees\Http\Middleware\ClientIp->process(Object(Nyholm\Psr7\ServerRequest), Object(Middleland\Dispatcher)) #72 …\app\Http\Middleware\HandleExceptions.php(90): Middleland\Dispatcher->handle(Object(Nyholm\Psr7\ServerRequest)) #73 …\vendor\oscarotero\middleland\src\Dispatcher.php(136): Fisharebest\Webtrees\Http\Middleware\HandleExceptions->process(Object(Nyholm\Psr7\ServerRequest), Object(Middleland\Dispatcher)) #74 …\app\Http\Middleware\BaseUrl.php(79): Middleland\Dispatcher->handle(Object(Nyholm\Psr7\ServerRequest)) #75 …\vendor\oscarotero\middleland\src\Dispatcher.php(136): Fisharebest\Webtrees\Http\Middleware\BaseUrl->process(Object(Nyholm\Psr7\ServerRequest), Object(Middleland\Dispatcher)) #76 …\app\Http\Middleware\ReadConfigIni.php(68): Middleland\Dispatcher->handle(Object(Nyholm\Psr7\ServerRequest)) #77 …\vendor\oscarotero\middleland\src\Dispatcher.php(136): Fisharebest\Webtrees\Http\Middleware\ReadConfigIni->process(Object(Nyholm\Psr7\ServerRequest), Object(Middleland\Dispatcher)) #78 …\app\Http\Middleware\SecurityHeaders.php(48): Middleland\Dispatcher->handle(Object(Nyholm\Psr7\ServerRequest)) #79 …\vendor\oscarotero\middleland\src\Dispatcher.php(136): Fisharebest\Webtrees\Http\Middleware\SecurityHeaders->process(Object(Nyholm\Psr7\ServerRequest), Object(Middleland\Dispatcher)) #80 …\app\Http\Middleware\EmitResponse.php(57): Middleland\Dispatcher->handle(Object(Nyholm\Psr7\ServerRequest)) #81 …\vendor\oscarotero\middleland\src\Dispatcher.php(136): Fisharebest\Webtrees\Http\Middleware\EmitResponse->process(Object(Nyholm\Psr7\ServerRequest), Object(Middleland\Dispatcher)) #82 …\vendor\oscarotero\middleland\src\Dispatcher.php(118): Middleland\Dispatcher->handle(Object(Nyholm\Psr7\ServerRequest)) #83 …\app\Webtrees.php(275): Middleland\Dispatcher->dispatch(Object(Nyholm\Psr7\ServerRequest)) #84 …\app\Webtrees.php(262): Fisharebest\Webtrees\Webtrees::dispatch(Object(Nyholm\Psr7\ServerRequest), Array) #85 …\index.php(51): Fisharebest\Webtrees\Webtrees->httpRequest() #86 {main}
@FrankWarius
Copy link
Author

the database itself seems to be ok:
grafik

@FrankWarius FrankWarius changed the title 2.15 Security Issue on Place Admin 2.1.5 Security Issue on Place Admin Jun 11, 2022
@fisharebest
Copy link
Owner

Does your data contain both Ahrensbök and Ahrensbok?

@FrankWarius
Copy link
Author

FrankWarius commented Jun 11, 2022
edited
Loading

no. See the above screenshot of the DB. Only to entries starting with 'Ahrens'

@FrankWarius
Copy link
Author

As you can see, both places have the same Soundex value. Ahrenshoop is in Western Pomerania, Ahrensbök in Schleswig-Holstein.
I think we had problems with umlauts / code pages about 5 years ago. Some 1.x stuff we solved.

Why I'm afraid it's a security issue:

  • Place entries in _places are created when an INDI or FAM tag is created or edited. You need update rights for this.
  • Place entries are changed or deleted using the Admin\Place function. You need admin rights for this
  • The session from the IP address 138.201.11.237 was not logged in and therefore only had visitor rights without admin or update rights.

Should there now be other code paths that insert into the _places table, that would be OK for me and not a security issue.

@fisharebest
Copy link
Owner

Entries in this table are created when they are first used.

This one was created while viewing the individual list.

Does your data contain both Ahrensbök and Ahrensbok?

You didn't answer this question.

Due to collation rules, only one of these can be stored. If you have both, the second will fail with the error above....

@FrankWarius
Copy link
Author

0 enties for Ahrensbok

grafik

1 entry for Ahrensbök,

grafik

last changed before the incident in 2015 (the log entry is from the next day)

@FrankWarius
Copy link
Author

in the last place Export / Backup 2022-05-23 Places Global.csv there is no Ahrensb%k entry.

@FrankWarius
Copy link
Author

I think the case is understandable and it's not a security issue.

  • About 5 years ago a Webtree 1.x Release DB migration crashed several times. The reason was places with umlauts. The workaround was to delete these incorrect ones from the _places table and to restart the migration.
  • If this place is later called up for display, the corresponding entry in the _places table is inserted, regardless of whether it is called up by a guest or a logged-in user.

I just successfully tested this with Eckernförde.

The question remains why the insert was made twice and led to an error entry in the log. From my point of view there are more urgent problems and we can close this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@fisharebest @FrankWarius