Post by kestas » Tue Jan 08, 2019 4:33 pm

Hi all,

I don't know how to correctly name this issue but seems this is a big problem in OC3.0.2 version In OC2.3 version also.

So if your server fails, or something wrong on the server and you can't connect to database you get this error below... where you can find your database server name, DB name and password... I have marked it in asterix.

Did anybody know this issue?
Warning: mysqli::mysqli(): php_network_getaddresses: getaddrinfo failed: Name or service not known in /mounted-storage/home20/sub005/sc75372-HHAX/sitename.com/demo/oc3.0.2/system/library/db/mysqli.php on line 7Warning: mysqli::mysqli(): (HY000/2002): php_network_getaddresses: getaddrinfo failed: Name or service not known in /mounted-storage/home20/sub005/sc75372-HHAX/sitename.com/demo/oc3.0.2/system/library/db/mysqli.php on line 7Warning: DB\MySQLi::__construct(): Couldn't fetch mysqli in /mounted-storage/home20/sub005/sc75372-HHAX/sitename.com/demo/oc3.0.2/system/library/db/mysqli.php on line 10Warning: DB\MySQLi::__construct(): Couldn't fetch mysqli in /mounted-storage/home20/sub005/sc75372-HHAX/sitename.com/demo/oc3.0.2/system/library/db/mysqli.php on line 10
Fatal error: Uncaught exception 'Exception' with message 'Error: <br />Error No: ' in /mounted-storage/home20/sub005/sc75372-HHAX/sitename.com/demo/oc3.0.2/system/library/db/mysqli.php:10 Stack trace: #0 /mounted-storage/home20/sub005/sc75372-HHAX/sitename.com/demo/oc3.0.2/system/library/db.php(31): DB\MySQLi->__construct('*****', '******', '******', '*****, '3306') #1 /mounted-storage/home20/sub005/sc75372-HHAX/sitename.com/demo/oc3.0.2/system/framework.php(80): DB->__construct('mysqli', '*****', '******, '******', '******', '3306') #2 /mounted-storage/home20/sub005/sc75372-HHAX/sitename.com/demo/oc3.0.2/system/startup.php(104): require_once('/mounted-storag...') #3 /mounted-storage/home20/sub005/sc75372-HHAX/sitename.com/demo/oc3.0.2/admin/index.php(19): start('admin') #4 {main} thrown in /mounted-storage/home20/sub005/sc75372-HHAX/sitename.com/demo/oc3.0.2/system/library/db/mysqli.php on line 10

Custom OpenCart modules and solutions. Just PM me... Extensions you can find here


Active Member

Posts

Joined
Tue Oct 12, 2010 2:23 am

Post by OSWorX » Tue Jan 08, 2019 6:28 pm

And why do you think that this should be a backdoor??
Renamed the title, because irrelevant and confusing visitors.

Forum Rules [en]: viewtopic.php?f=176&t=200480
Forumregeln [de]: viewtopic.php?f=37&t=114208
Commercial Request: viewforum.php?f=88

Image


User avatar
Expert Member

Posts

Joined
Mon Jan 11, 2010 10:52 pm
Location - Austria

Post by kestas » Tue Jan 08, 2019 6:45 pm

OSWorX wrote:
Tue Jan 08, 2019 6:28 pm
And why do you think that this should be a backdoor??
Renamed the title, because irrelevant and confusing visitors.
Regarding renaming I agree.
And thanks for the opinion.
If you have read carefully my post i have said I don't know how to name this issue. But in this case I got all credentials to connect to DB. And my OC DB was hacked some time before... So I think this was an issue.
Can you give a title for this issue?
Seems I know how to resolve it, i just need to test.

Custom OpenCart modules and solutions. Just PM me... Extensions you can find here


Active Member

Posts

Joined
Tue Oct 12, 2010 2:23 am

Post by xxvirusxx » Tue Jan 08, 2019 7:34 pm

Confirm this.

I think is a high security risk.

How to reproduce when server work.

Open config.php (not from admin) and add something (a letter, number) after database username or database name.
Then when you access website URL it show that errors and all info is displayed: database username, database name, password from database

It should display only database username like wordpress

Code: Select all

Warning: mysqli_real_connect(): (HY000/1045): Access denied for user 'xxxx'@'localhost' (using password: YES) in file...
Or to show another info...not database, usernam, password

And was reported in 2016....but neah
https://github.com/opencart/opencart/issues/5027

LE. I don't know if is a PRO fix, but work

Replace this

Code: Select all

throw new \Exception('Error: ' . $this->connection->error . '<br />Error No: ' . $this->connection->errno);
with this

Code: Select all

trigger_error('Error: ' . $this->connection->error . '<br />Error No: ' . $this->connection->errno);
exit();
And this

Code: Select all

throw new \Exception('Error: ' . $this->connection->error  . '<br />Error No: ' . $this->connection->errno . '<br />' . $sql);
With this

Code: Select all

trigger_error('Error: ' . $this->connection->error  . '<br />Error No: ' . $this->connection->errno . '<br />' . $sql);

Opencart 3.0.2.0 with bugs fixed | Free extensions


Active Member

Posts

Joined
Tue Jul 17, 2012 10:35 pm

Post by ADD Creative » Tue Jan 08, 2019 10:25 pm

If you configure the error display correctly for a production site, there is no problem. The error display is only meant for debugging use when setting up. Once the site is set up and live, all error displaying should be switch off.

To switch off.
1. Switch off Display Errors under the Error Handling section of the Server tab in the OpenCart settings.

2. Set $_['error_display'] to false in system/config/default.php

3. Set display_errors = Off in you PHP configuration. Usually by adding to your php.ini file. Any decent host should have this set to off anyway. However, it surprising how many leave it set to on.

4. Check that your PHP error_log file is not publicly accessible. Again can be set in your php.ini.

Maybe this should be made clearer in the installation instructions.

www.add-creative.co.uk


Active Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by xxvirusxx » Tue Jan 08, 2019 10:30 pm

ADD Creative wrote:
Tue Jan 08, 2019 10:25 pm
If you configure the error display correctly for a production site, there is no problem.
This should never happens. With error ON or OFF.
Yes, can display errors...but not database name and password...

And not all users know ho to set correctly error log...

Opencart 3.0.2.0 with bugs fixed | Free extensions


Active Member

Posts

Joined
Tue Jul 17, 2012 10:35 pm

Post by ADD Creative » Tue Jan 08, 2019 10:46 pm

While I agree that credentials should be avoided being output in error messages. Just making a change to the database drivers won't stop all the other possible places where critical (security, personal, etc.) data may be leaked in error messages or to error logs.

Educating store owners how to configure their sites correctly has greater benefits.

Changing from exception to trigger_error will just move the problem to a different error handler.

www.add-creative.co.uk


Active Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by xxvirusxx » Tue Jan 08, 2019 11:13 pm

Yes I know. Good hackers can do almost anything or anything.

And I think not all store owner hire companies to do their job.
Some store owners install himself.

Opencart 3.0.2.0 with bugs fixed | Free extensions


Active Member

Posts

Joined
Tue Jul 17, 2012 10:35 pm

Post by kestas » Tue Jan 08, 2019 11:28 pm

ADD Creative wrote:
Tue Jan 08, 2019 10:25 pm
If you configure the error display correctly for a production site, there is no problem. The error display is only meant for debugging use when setting up. Once the site is set up and live, all error displaying should be switch off.

To switch off.
1. Switch off Display Errors under the Error Handling section of the Server tab in the OpenCart settings.

2. Set $_['error_display'] to false in system/config/default.php

3. Set display_errors = Off in you PHP configuration. Usually by adding to your php.ini file. Any decent host should have this set to off anyway. However, it surprising how many leave it set to on.

4. Check that your PHP error_log file is not publicly accessible. Again can be set in your php.ini.

Maybe this should be made clearer in the installation instructions.
Yes only one exception.. all this should be vice versa. By default all possible error logs, error handlers must be switched off. Mostly people which are use OC are not familiar with coding. So just for developers this errors are usable. Or maybe for hackers if in this case...
I think for developer more easy switch on all necessary possibilities.

Custom OpenCart modules and solutions. Just PM me... Extensions you can find here


Active Member

Posts

Joined
Tue Oct 12, 2010 2:23 am

Post by ADD Creative » Wed Jan 09, 2019 12:52 am

I agree that the defaults should be off. Not only for security, but also as you see many posts on the forum where the error, such as with ajax responses, are cause by PHP warnings and messages that don't matter that much.

You'll have to convince the OpenCart developers. It's been reported several times and the response is usually to switch off display errors.
https://github.com/opencart/opencart/issues/5027

As for the PHP setting. The default is off in the php.ini-production file. Yet you see so many hosts set the default to on.

www.add-creative.co.uk


Active Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom
Who is online

Users browsing this forum: No registered users and 7 guests