[Bug 572161] Some staging website is exposed.


Bugzilla Link	572161
Status	ASSIGNED
Importance	P3 normal
Reported	Mar 22, 2021 04:35 EDT
Modified	Jun 16, 2021 08:08 EDT
Reporter	KENTA YAMAMOTO

Description

Hello.

The following domains should be supposed to be access controlled, but appear to be accessible to everyone.

http://staging.eclipse.org\ https://accounts-staging.eclipse.org/user

I accessed the following URL using HTTPS, they request authentication.
https://staging.eclipse.org

I'm not sure which the correct behavior, but I recommend checking the settings.
Also, I found API server responsed SQL error.

https://api-staging.eclipse.org/account/profile/[MYPROFILEID]/forum?page=1&pagesize=10

=======\
<h1>Uncaught exception thrown in session handler.</h1><p>PDOException: SQLSTATE[42S02]: Base table or view not found: 1146 Table &amp;#039;dev_fud_eclipse.fud_sessions&amp;#039; doesn&amp;#039;t exist: SELECT 1 AS expression
FROM
{sessions} sessions
WHERE ( (sid = :db_condition_placeholder_0) AND (ssid = :db_condition_placeholder_1) ); Array
(
    [:db_condition_placeholder_0] =&amp;gt; [MYSESSIONID]
    [:db_condition_placeholder_1] =&amp;gt; [MYSESSIONID]
)
 in _drupal_session_write() (line 209 of /localsite/api-staging.eclipse.org/includes/session.inc).</p><hr />

======

This is also a staging server, so it's a natural behavior. However, this gives attacker hints to crack and so should be access controlled.

regards.

Edited Dec 22, 2021 by Frederic Gurr