Kaltura.domain.com/index.php/system/requests

trm_1981 · November 13, 2020, 6:01pm

Hello! Thank you in advance for your help.

I had a security audit of my site and reported a vulnerability related to Kaltura. Basically, when such a request is made: mydomain.com/index.php/system/requests a series of data are presented:

APACHE1:
Fri Nov 13 17:53:19 WET 2020
Could not open input file: /web/kaltura/support_prod/monitor/request_types.php
APACHE2:
Fri Nov 13 17:53:19 WET 2020
Could not open input file: /web/kaltura/support_prod/monitor/request_types.php
APACHE3:
Fri Nov 13 17:53:19 WET 2020
Could not open input file: /web/kaltura/support_prod/monitor/request_types.php
APACHE5:
Fri Nov 13 17:53:19 WET 2020
Could not open input file: /web/kaltura/support_prod/monitor/request_types.php
APACHE6:
Fri Nov 13 17:53:19 WET 2020
Could not open input file: /web/kaltura/support_prod/monitor/request_types.php
APACHE7:
Fri Nov 13 17:53:19 WET 2020
Could not open input file: /web/kaltura/support_prod/monitor/request_types.php

Basically I will have to hide these messages in order not to disclose the path of the application. Do you know how I can do that?

Thanks a lot for the help.

jess · November 16, 2020, 12:51pm

Hello,

Your question is not specific to Kaltura actually but rather, pertains to your PHP config.
See https://www.php.net/manual/en/errorfunc.configuration.php#ini.display-errors

Cheers,

trm_1981 · November 16, 2020, 4:25pm

Hi Jess.

Thanks for the reply.

In my PHP there is already the flag “display_errors = Off”.

The config file kaltura/app/alpha/apps/kaltura/modules/system/actions/requestsAction.class.php has this code:

class requestsAction extends kalturaSystemAction
{
	public function execute()
	{
		ini_set("memory_limit","128M");
		header('Content-Type: text/plain');
		for($i = 1; $i <= 7; $i++)
		{
			if ($i == 4)
				continue;
		echo "APACHE$i:\n";
			ob_start();
			passthru("tail -10000 /web/logs/APACHE$i-access_log|head -1");
			passthru("date");
			passthru("tail -10000 /web/logs/APACHE$i-access_log|php /web/kaltura/support_prod/monitor/request_types.php");
			$result = ob_get_contents();
			ob_end_clean();
			echo $result;
		}

		die;
	}
}

?>

if i comment the “echos”, my page no longer displays the information i want to hide. But I believe that this will not be the best approach …
Is there any configuration to inhibit this information? I found in the /kaltura/app/configurations folder several properties “display_errors” with values 0 and 1. Could it be any of these properties? Any ideas?

admin.ini:phpSettings.display_errors = 0
admin.ini:phpSettings.display_errors = 1
admin.ini:phpSettings.display_errors = 1
var.ini:phpSettings.display_errors = 0
var.ini:phpSettings.display_errors = 1
var.ini:phpSettings.display_errors = 1

Thanks a lot

jess · November 16, 2020, 4:29pm

Hi @trm_1981,

My apologies. Now I understand. This file needed for nothing. You can safely remove it and I’ll make certain it is removed from the repo as well.

Thanks for reporting,

trm_1981 · November 16, 2020, 4:46pm

Hi,
Erase the file kaltura/app/alpha/apps/kaltura/modules/system/actions/requestsAction.class.php ?
Thanks a lot Jess

jess · November 16, 2020, 4:50pm

Hi @trm_1981,

Yes, indeed. See https://github.com/kaltura/server/pull/10170

Cheers,