Write-ups

Shopify

Shopify disclosed on HackerOne: (FULL PATH DISCLOSURE) Unknown...HackerOne

Shopify Summary: A staging instance of the application was available with no authentication at shardm-reader.chi2.shopify.io. Since this instance had verbose errors turned on, any error message would contain information about the application's environment variables, and part of the stack trace with application source code.

Visiting the URL returned a verbose error with the following file paths disclosed :

lib/patches/mysql_monitoring.rb:19:in connect'
lib/patches/mysql_monitoring.rb:19:inblock in raw_connect_with_monitoring'
lib/patches/mysql_monitoring.rb:18:in raw_connect_with_monitoring'
lib/routing/connection.rb:15:inconnection'
app/models/concerns/benchmarking.rb:15:in block (2 levels) in add_benchmark_around_method'
app/models/concerns/benchmarking.rb:24:inwith_benchmark'
app/models/concerns/benchmarking.rb:14:in block in add_benchmark_around_method'
app/models/shop.rb:619:infor_domain'
app/controllers/application_controller.rb:303:in shop_for'
app/controllers/application_controller.rb:96:inwith_shop_fallback'
app/controllers/application_controller.rb:87:in with_shop'
app/controllers/application_controller.rb:73:inset_billing_api_request_id'
app/controllers/application_controller.rb:64:in add_request_id_to_log_context'
app/controllers/application_controller.rb:245:inconditionally_enable_debug_log'
app/controllers/application_controller.rb:54:in block in identity_cache_memoization'
app/controllers/application_controller.rb:54:inidentity_cache_memoization'
/artifacts/ruby/2.2.0/bundler/gems/statsd-instrument-50b2496ea65b/lib/statsd/instrument.rb:284:in call'
/artifacts/ruby/2.2.0/bundler/gems/statsd-instrument-50b2496ea65b/lib/statsd/instrument.rb:284:inblock in measure'
/artifacts/ruby/2.2.0/bundler/gems/statsd-instrument-50b2496ea65b/lib/statsd/instrument.rb:53:in duration'
/artifacts/ruby/2.2.0/bundler/gems/statsd-instrument-50b2496ea65b/lib/statsd/instrument.rb:284:inmeasure'
/artifacts/ruby/2.2.0/bundler/gems/statsd-instrument-50b2496ea65b/lib/statsd/instrument.rb:75:in block (3 levels) in statsd_measure'
/artifacts/ruby/2.2.0/bundler/gems/statsd-instrument-50b2496ea65b/lib/statsd/instrument.rb:284:incall'
/artifacts/ruby/2.2.0/bundler/gems/statsd-instrument-50b2496ea65b/lib/statsd/instrument.rb:284:in block in measure'
/artifacts/ruby/2.2.0/bundler/gems/statsd-instrument-50b2496ea65b/lib/statsd/instrument.rb:53:induration'
/artifacts/ruby/2.2.0/bundler/gems/statsd-instrument-50b2496ea65b/lib/statsd/instrument.rb:284:in measure'
/artifacts/ruby/2.2.0/bundler/gems/statsd-instrument-50b2496ea65b/lib/statsd/instrument.rb:75:inblock (2 levels) in statsd_measure'
semian (0.4.1) lib/semian/mysql2.rb:82:in `block in connect'

DigitalSellz - Verbose SQL Error Message

DigitalSellz disclosed on HackerOne: Verbose SQL error messagesHackerOne

Verbose error messages are returned when sql errors occur revealing backend information including SQL column and query information as well as PHP file location.

PreviousVerbose Error Messages and Stack Traces

Last updated 5 years ago

Was this helpful?

hashtagShopify

hashtagDigitalSellz - Verbose SQL Error Message

Shopify

DigitalSellz - Verbose SQL Error Message