Anomalie #12207
ferméErreur php quand on se connecte et qu'on essaye d'enregistrer manuellement un courrier avec un groupe en particulier
Description
Message d'erreur qui s'affiche lors de la connexion et lorsqu'on clique sur "enregistrer un courrier" :
[28-Oct-2019 14:32:45 Europe/Paris] PHP Warning: Use of undefined constant _OK - assumed '_OK' (this will throw an Error in a future version of PHP) in /var/www/html/MaarchCourrier/apps/maarch_entreprise/phpids_control.php on line 67
[28-Oct-2019 14:32:45 Europe/Paris] PHP Warning: Use of undefined constant _LEVEL_ERROR - assumed '_LEVEL_ERROR' (this will throw an Error in a future version of PHP) in /var/www/html/MaarchCourrier/apps/maarch_entreprise/phpids_control.php on line 68
[28-Oct-2019 14:32:45 Europe/Paris] PHP Warning: Use of undefined constant _LEVEL_INFO - assumed '_LEVEL_INFO' (this will throw an Error in a future version of PHP) in /var/www/html/MaarchCourrier/core/class/class_history.php on line 370
[28-Oct-2019 14:32:45 Europe/Paris] PHP Warning: Use of undefined constant _LEVEL_WARN - assumed '_LEVEL_WARN' (this will throw an Error in a future version of PHP) in /var/www/html/MaarchCourrier/core/class/class_history.php on line 376
[28-Oct-2019 14:32:45 Europe/Paris] PHP Warning: Use of undefined constant _LEVEL_ERROR - assumed '_LEVEL_ERROR' (this will throw an Error in a future version of PHP) in /var/www/html/MaarchCourrier/core/class/class_history.php on line 382
Historique de maarch :
PHPIDS CONTROL, USER : numeriseur IP : 10.1.1.69 MESSAGE : Total impact: 5
Affected tags: xss, csrf
Variable: COOKIE.maarchCourrierAuth |
Value: eyJpZCI6MTE1LCJ1c2VySWQiOiJudW1lcmlzZXVyIiwiY29va2llS2V5IjoiJDJ5JDEwJC5SRFhYTmc5XC82aXBmNDVzOVpxeVwvLlE0M2hXbVVhR1h
zODlvUGlDQmRDMC5aOUV6dmJHQVcifQ==
Impact: 5 | Tags: xss, csrf
Description: Detects basic obfuscated JavaScript script injections |
Tags: xss, csrf | ID: 24
Infos présentes en base :
sdisrecette2=# select * from users where user_id = 'numeriseur';
-[ RECORD 1 ]--------------+-------------------------------------------------------------
id | 115
user_id | numeriseur
password | $2y$10$xmLWrXWCYl8KXil3kjy8bOsXbXO83zpekYbl7mkR6fR.DO/7KWXU6
firstname | Agent
lastname | NUMERISEUR
phone |
mail | a.numeriseur@sdis50.fr
initials |
custom_t1 | 0
custom_t2 |
custom_t3 |
status | OK
enabled | Y
change_password | N
password_modification_date | 2019-09-17 10:31:35.544291
loginmode | standard
cookie_key | $2y$10$.RDXXNg9/6ipf45s9Zqy/.Q43hWmUaGXs89oPiCBdC0.Z9EzvbGAW
cookie_date | 2019-10-28 14:52:42
failed_authentication | 0
locked_until |
external_id | {}
**
Problème identifié par Florian :**
Le cookie_key qui créé un faux positif en faisant croire qu'une injection java est en cours.
Solution :
update users set cookie_key = '' where user_id = 'numeriseur';