Re: [tor-bugs] #22947 [Webpages/Blog]: Possible Security Issue (Information Disclosure) with Drupal on blog.torproject.org

2018-10-30 Thread Tor Bug Tracker & Wiki 
#22947: Possible Security Issue (Information Disclosure) with Drupal on
blog.torproject.org
---+
 Reporter:  cypherpunks|  Owner:  hiro
 Type:  defect | Status:  needs_revision
 Priority:  Medium |  Milestone:
Component:  Webpages/Blog  |Version:
 Severity:  Normal | Resolution:
 Keywords:  security   |  Actual Points:
Parent ID: | Points:
 Reviewer: |Sponsor:
---+

Comment (by traumschule):

 This error regularly pops up going through search results:
 > Notice: Undefined index: status in
 Drupal\Core\Entity\Sql\SqlContentEntityStorage->loadFromSharedTables()
 (line 555 of core/lib/Drupal/Core/Entity/Sql/SqlContentEntityStorage.php).

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #22947 [Webpages/Blog]: Possible Security Issue (Information Disclosure) with Drupal on blog.torproject.org

2018-08-11 Thread Tor Bug Tracker & Wiki 
#22947: Possible Security Issue (Information Disclosure) with Drupal on
blog.torproject.org
---+
 Reporter:  cypherpunks|  Owner:  hiro
 Type:  defect | Status:  needs_revision
 Priority:  Medium |  Milestone:
Component:  Webpages/Blog  |Version:
 Severity:  Normal | Resolution:
 Keywords:  security   |  Actual Points:
Parent ID: | Points:
 Reviewer: |Sponsor:
---+

Comment (by traumschule):

 I propose to [https://www.drupal.org/node/1172266 disable on-screen
 warnings] completely. Users cant act on errors, only admins reviewing a
 log can. Waiting for the next occurrence is the wrong approach in my eyes
 :)
 [https://www.drupal.org/project/errorlevelpermission module error level
 permission]

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #22947 [Webpages/Blog]: Possible Security Issue (Information Disclosure) with Drupal on blog.torproject.org

2017-08-17 Thread Tor Bug Tracker & Wiki 
#22947: Possible Security Issue (Information Disclosure) with Drupal on
blog.torproject.org
---+
 Reporter:  cypherpunks|  Owner:  hiro
 Type:  defect | Status:  needs_revision
 Priority:  Medium |  Milestone:
Component:  Webpages/Blog  |Version:
 Severity:  Normal | Resolution:
 Keywords:  security   |  Actual Points:
Parent ID: | Points:
 Reviewer: |Sponsor:
---+
Changes (by hiro):

 * status:  accepted => needs_revision


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #22947 [Webpages/Blog]: Possible Security Issue (Information Disclosure) with Drupal on blog.torproject.org

2017-08-17 Thread Tor Bug Tracker & Wiki 
#22947: Possible Security Issue (Information Disclosure) with Drupal on
blog.torproject.org
---+--
 Reporter:  cypherpunks|  Owner:  hiro
 Type:  defect | Status:  accepted
 Priority:  Medium |  Milestone:
Component:  Webpages/Blog  |Version:
 Severity:  Normal | Resolution:
 Keywords:  security   |  Actual Points:
Parent ID: | Points:
 Reviewer: |Sponsor:
---+--

Comment (by hiro):

 This is probably a cache issue as per https://www.drupal.org/node/2685957

 We are running the latest version as provided from pantheon. Will see if
 next update fixes it.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #22947 [Webpages/Blog]: Possible Security Issue (Information Disclosure) with Drupal on blog.torproject.org

2017-08-09 Thread Tor Bug Tracker & Wiki 
#22947: Possible Security Issue (Information Disclosure) with Drupal on
blog.torproject.org
---+--
 Reporter:  cypherpunks|  Owner:  hiro
 Type:  defect | Status:  accepted
 Priority:  Medium |  Milestone:
Component:  Webpages/Blog  |Version:
 Severity:  Normal | Resolution:
 Keywords:  security   |  Actual Points:
Parent ID: | Points:
 Reviewer: |Sponsor:
---+--

Comment (by cypherpunks):

 Got the exact same error again when clicking on new comment, relevant link
 https://blog.torproject.org/comment/reply/node/1384/comment_node_article/270328

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #22947 [Webpages/Blog]: Possible Security Issue (Information Disclosure) with Drupal on blog.torproject.org

2017-08-01 Thread Tor Bug Tracker & Wiki 
#22947: Possible Security Issue (Information Disclosure) with Drupal on
blog.torproject.org
---+--
 Reporter:  cypherpunks|  Owner:  hiro
 Type:  defect | Status:  accepted
 Priority:  Medium |  Milestone:
Component:  Webpages/Blog  |Version:
 Severity:  Normal | Resolution:
 Keywords:  security   |  Actual Points:
Parent ID: | Points:
 Reviewer: |Sponsor:
---+--

Comment (by cypherpunks):

 Replying to [comment:4 cypherpunks]:
 > Different person from the OP but I got this error message show up after
 posting a comment:
 >
 > {{{
 > Warning: mkdir(): File exists in
 Drupal\Component\PhpStorage\FileStorage->createDirectory() (line 157 of
 core/lib/Drupal/Component/PhpStorage/FileStorage.php).
 > }}}
 Yeah, that's the message I saw when I reported this (or very, very
 similar). The line numbers or filenames might be different, since I didn't
 post a comment before getting that error. Thanks for helping track this
 down!

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #22947 [Webpages/Blog]: Possible Security Issue (Information Disclosure) with Drupal on blog.torproject.org

2017-07-26 Thread Tor Bug Tracker & Wiki 
#22947: Possible Security Issue (Information Disclosure) with Drupal on
blog.torproject.org
---+--
 Reporter:  cypherpunks|  Owner:  hiro
 Type:  defect | Status:  accepted
 Priority:  Medium |  Milestone:
Component:  Webpages/Blog  |Version:
 Severity:  Normal | Resolution:
 Keywords:  security   |  Actual Points:
Parent ID: | Points:
 Reviewer: |Sponsor:
---+--

Comment (by cypherpunks):

 After searching found this to be the same error message I got: #22850

 I bet this ticket is a duplicate and the OP got the same message as us.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #22947 [Webpages/Blog]: Possible Security Issue (Information Disclosure) with Drupal on blog.torproject.org

2017-07-26 Thread Tor Bug Tracker & Wiki 
#22947: Possible Security Issue (Information Disclosure) with Drupal on
blog.torproject.org
---+--
 Reporter:  cypherpunks|  Owner:  hiro
 Type:  defect | Status:  accepted
 Priority:  Medium |  Milestone:
Component:  Webpages/Blog  |Version:
 Severity:  Normal | Resolution:
 Keywords:  security   |  Actual Points:
Parent ID: | Points:
 Reviewer: |Sponsor:
---+--

Comment (by cypherpunks):

 Different person from the OP but I got this error message show up after
 posting a comment:

 {{{
 Warning: mkdir(): File exists in
 Drupal\Component\PhpStorage\FileStorage->createDirectory() (line 157 of
 core/lib/Drupal/Component/PhpStorage/FileStorage.php).
 }}}

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #22947 [Webpages/Blog]: Possible Security Issue (Information Disclosure) with Drupal on blog.torproject.org

2017-07-17 Thread Tor Bug Tracker & Wiki 
#22947: Possible Security Issue (Information Disclosure) with Drupal on
blog.torproject.org
---+--
 Reporter:  cypherpunks|  Owner:  hiro
 Type:  defect | Status:  accepted
 Priority:  Medium |  Milestone:
Component:  Webpages/Blog  |Version:
 Severity:  Normal | Resolution:
 Keywords:  security   |  Actual Points:
Parent ID: | Points:
 Reviewer: |Sponsor:
---+--

Comment (by hiro):

 I have been hunting down this but for a while, since it has been reported
 a few times. It is difficult to understand what's happening since it
 doesn't show up in the logs. I have a ticket open with pantheon to check
 if they could see something in the logs I wasn't able to spot. For the
 moment nothing is showing :(. Will see if I can get more info. My guess is
 that when I update the blog this error comes along and some of the modules
 is responsible for it (or maybe is some session issue).

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #22947 [Webpages/Blog]: Possible Security Issue (Information Disclosure) with Drupal on blog.torproject.org

2017-07-17 Thread Tor Bug Tracker & Wiki 
#22947: Possible Security Issue (Information Disclosure) with Drupal on
blog.torproject.org
---+--
 Reporter:  cypherpunks|  Owner:  hiro
 Type:  defect | Status:  accepted
 Priority:  Medium |  Milestone:
Component:  Webpages/Blog  |Version:
 Severity:  Normal | Resolution:
 Keywords:  security   |  Actual Points:
Parent ID: | Points:
 Reviewer: |Sponsor:
---+--
Changes (by hiro):

 * status:  new => accepted


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #22947 [Webpages/Blog]: Possible Security Issue (Information Disclosure) with Drupal on blog.torproject.org

2017-07-16 Thread Tor Bug Tracker & Wiki 
#22947: Possible Security Issue (Information Disclosure) with Drupal on
blog.torproject.org
---+--
 Reporter:  cypherpunks|  Owner:  hiro
 Type:  defect | Status:  new
 Priority:  Medium |  Milestone:
Component:  Webpages/Blog  |Version:
 Severity:  Normal | Resolution:
 Keywords:  security   |  Actual Points:
Parent ID: | Points:
 Reviewer: |Sponsor:
---+--

Comment (by cypherpunks):

 After trying a bit to reproduce this, I failed to do so. This may nave
 been a transient bug due to restoring a tab from a previous session (maybe
 Firefox did something weird with a header in the request and the server-
 side scripting didn't like it?) or maybe someone was poking the Drupal
 backend at the same time I was loading the page?

 Either way, someone may want to look at the Drupal config and at least
 make sure server-side issues don't get spit out into the HTML served to
 the client.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

[tor-bugs] #22947 [Webpages/Blog]: Possible Security Issue (Information Disclosure) with Drupal on blog.torproject.org

2017-07-15 Thread Tor Bug Tracker & Wiki 
#22947: Possible Security Issue (Information Disclosure) with Drupal on
blog.torproject.org
---+--
 Reporter:  cypherpunks|  Owner:  hiro
 Type:  defect | Status:  new
 Priority:  Medium |  Milestone:
Component:  Webpages/Blog  |Version:
 Severity:  Normal |   Keywords:  security
Actual Points: |  Parent ID:
   Points: |   Reviewer:
  Sponsor: |
---+--
 When loading https://blog.torproject.org/blog/tor-0312-alpha-out-notes-
 about-0311-alpha, a Drupal warning appeared at the top of the page that
 looked something like:

 Warning: Drupal mkdir() failed directory already exists, etc. etc.

 Encountered around 06:00-06:10 UTC. I apologize for the vague wording, but
 I was an idiot and forgot to take a screenshot. The error appeared after
 the tab was reloaded from a previous Firefox session, and disappeared
 after I refreshed the page.  The warning message contained directory/path
 names that appeared at least slightly sensitive. I don't think that
 displaying server-side error messages to a client is intended behavior,
 either...

 Apologies if this is the wrong channel for reporting this. I looked for an
 email address for security issues, but the Contact page says to "email the
 respective maintainer" (???). I'm not familiar with who maintains the
 blog, and it doesn't seem very high-risk or reproducible, so I'll leave a
 comment on the blog directing someone here.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs