Jump to:

17452 Posts in 4473 Topics by 1971 members

Archive

SilverStripe Forums » Archive » Is db/build a security problem?

Our old forums are still available as a read-only archive.

Moderators: martimiz, Sean, biapar, Willr, Ingo, simon_w

Page: 1
Go to End
Author Topic: 1988 Views
  • xmedeko
    Avatar
    Community Member
    94 Posts

    Is db/build a security problem? Link to this post

    I can do

    http://www.silverstripe.com/db/build

    and see your tables. Is that a security problem? What about a patch like this:

    --- DatabaseAdmin.php.orig 2007-06-14 11:49:31.000000000 +1200
    +++ DatabaseAdmin.php 2007-06-14 11:48:58.000000000 +1200
    @@ -88,6 +88,9 @@

    function doBuild($quiet = false) {
    + if (!Director::isDev() && !Director::isTest()) {
    + return;
    + }
    if($quiet) DB::quiet();
    else echo "<h2>Building Database</h2>";

  • Sam
    Avatar
    Administrator
    679 Posts

    Re: Is db/build a security problem? Link to this post

    It's not a massive problem, but it's something that should be tidied up.

    The best bet is to force admin log-in for these kinds of actions, since sometimes you want to be able to do this on the live site - to update the schema after republication, for example.

    One of the issues is that we will run into at our office is that our publication script needs to be able to visit db/build without logging in.

    I recommend that we set up some kind of "debug security" option in the form of a function called Security::use_debug_security();

    It will
    * Check that the IP requesting isn't one of the "allowed IPs"
    * Otherwise, check that this current user has admin privileges
    * Otherwise, redirect to the log-in page and end execution.

    function doBuild($quiet = false) {
    + Security::use_debug_security();
    if($quiet) DB::quiet();
    else echo "<h2>Building Database</h2>";

    We can add a method Security::allow_debug_security_for($ip). $ip could be:
    * 192.168.0.1
    * 192.168.0/24
    * 192.168/16
    * 192/8

    This debug security option can also be used on manually switching to dev mode, viewing profile / debugging information, flushing the templates, etc.

  • Sam
    Avatar
    Administrator
    679 Posts

    Re: Is db/build a security problem? Link to this post

    I've deleted the preceeding post; don't really want to have that kind of information available for public reading.

    Thanks for pointing this out, xmedeko, we'll be looking into this as a top priority and I'll let you know once we've sorted this.

  • Sigurd
    Avatar
    Forum Moderator
    628 Posts

    Re: Is db/build a security problem? Link to this post

    This is resolved in v2.0.2 that came out a few days ago.

    You now have to log in as an administrator to run db/build

  • JoGiles
    Avatar
    9 Posts

    Re: Is db/build a security problem? Link to this post

    Hey guys,

    I'm running silverstripe 2.0.2b, but can't log in to /db/build with my user login details. I am an administrator within the site, and can log in to that fine - but not into /db/build (where I want to go to install forum support).

    Perhaps there has been an oversight in this improvement? I would hazard a guess (without knowing the silverstripe codebase) that the problem is in DatabaseAdmin's build() function around that if statement.

    Cheers,
    Jonathan Giles

  • elijahlofgren
    Avatar
    Google Summer of Code Hacker
    222 Posts

    Re: Is db/build a security problem? Link to this post

    Hi JoGiles,

    It seems that sometimes build/db authentication does not work. It works on my local dev server, but not on my remote one. The best workaround that I know of is to temporarily enable dev mode: http://doc.silverstripe.com/doku.php?id=devmode

    Hope this helps,

    Elijah

    1988 Views
Page: 1
Go to Top

Want to know more about the company that brought you SilverStripe? Then check out SilverStripe.com

Comments on this website? Please give feedback.