Project

General

Profile

Anomalie #12207

Erreur php quand on se connecte et qu'on essaye d'enregistrer manuellement un courrier avec un groupe en particulier

Added by Robin SALDINGER over 2 years ago. Updated 12 months ago.

Status:
Rejeté
Priority:
3-Mineur
Target version:
Start date:
10/28/2019
Due date:
Tags Courrier:

Description

Message d'erreur qui s'affiche lors de la connexion et lorsqu'on clique sur "enregistrer un courrier" :
[28-Oct-2019 14:32:45 Europe/Paris] PHP Warning: Use of undefined constant _OK - assumed '_OK' (this will throw an Error in a future version of PHP) in /var/www/html/MaarchCourrier/apps/maarch_entreprise/phpids_control.php on line 67
[28-Oct-2019 14:32:45 Europe/Paris] PHP Warning: Use of undefined constant _LEVEL_ERROR - assumed '_LEVEL_ERROR' (this will throw an Error in a future version of PHP) in /var/www/html/MaarchCourrier/apps/maarch_entreprise/phpids_control.php on line 68
[28-Oct-2019 14:32:45 Europe/Paris] PHP Warning: Use of undefined constant _LEVEL_INFO - assumed '_LEVEL_INFO' (this will throw an Error in a future version of PHP) in /var/www/html/MaarchCourrier/core/class/class_history.php on line 370
[28-Oct-2019 14:32:45 Europe/Paris] PHP Warning: Use of undefined constant _LEVEL_WARN - assumed '_LEVEL_WARN' (this will throw an Error in a future version of PHP) in /var/www/html/MaarchCourrier/core/class/class_history.php on line 376
[28-Oct-2019 14:32:45 Europe/Paris] PHP Warning: Use of undefined constant _LEVEL_ERROR - assumed '_LEVEL_ERROR' (this will throw an Error in a future version of PHP) in /var/www/html/MaarchCourrier/core/class/class_history.php on line 382

Historique de maarch :
PHPIDS CONTROL, USER : numeriseur IP : 10.1.1.69 MESSAGE : Total impact: 5 Affected tags: xss, csrf
Variable: COOKIE.maarchCourrierAuth |
Value: eyJpZCI6MTE1LCJ1c2VySWQiOiJudW1lcmlzZXVyIiwiY29va2llS2V5IjoiJDJ5JDEwJC5SRFhYTmc5XC82aXBmNDVzOVpxeVwvLlE0M2hXbVVhR1h
zODlvUGlDQmRDMC5aOUV6dmJHQVcifQ== Impact: 5 | Tags: xss, csrf
Description: Detects basic obfuscated JavaScript script injections |
Tags: xss, csrf | ID: 24

Infos présentes en base :
sdisrecette2=# select * from users where user_id = 'numeriseur';
-[ RECORD 1 ]--------------+-------------------------------------------------------------
id | 115
user_id | numeriseur
password | $2y$10$xmLWrXWCYl8KXil3kjy8bOsXbXO83zpekYbl7mkR6fR.DO/7KWXU6
firstname | Agent
lastname | NUMERISEUR
phone |
mail | a.numeriseur@sdis50.fr
initials |
custom_t1 | 0
custom_t2 |
custom_t3 |
status | OK
enabled | Y
change_password | N
password_modification_date | 2019-09-17 10:31:35.544291
loginmode | standard
cookie_key | $2y$10$.RDXXNg9/6ipf45s9Zqy/.Q43hWmUaGXs89oPiCBdC0.Z9EzvbGAW
cookie_date | 2019-10-28 14:52:42
failed_authentication | 0
locked_until |
external_id | {}
**
Problème identifié par Florian :**
Le cookie_key qui créé un faux positif en faisant croire qu'une injection java est en cours.

Solution :
update users set cookie_key = '' where user_id = 'numeriseur';

History

#1 Updated by Emmanuel DILLARD over 2 years ago

  • Status changed from A traiter to Prêt à développer
  • Target version set to 20.03 (Support restreint)

Problème identifié par Florian :**
Le cookie_key qui créé un faux positif en faisant croire qu'une injection java est en cours.

#4 Updated by Florian AZIZIAN about 2 years ago

  • Target version changed from 20.03 (Support restreint) to 19.04 (Support sécurité)

#5 Updated by Emmanuel DILLARD about 2 years ago

  • Priority changed from 2-Sérieux to 3-Mineur

#6 Updated by Emmanuel DILLARD over 1 year ago

  • Status changed from Prêt à développer to Rejeté
  • Assignee set to Robin SALDINGER

Comportement revu en 20.03 et suivantes

#7 Updated by Emmanuel DILLARD 12 months ago

  • Project changed from Backlog to Backlog Courrier
  • Target version changed from 19.04 (Support sécurité) to 19.04 (Sécurité)

Also available in: Atom PDF