How banks protect your personal data - log.txt
Good day everyone.
Since the owners of the service response in a reasonable amount of time is not received, I am writing here.
Briefly, the essence and purpose of the post: log.txt is bad. Do not forget about it and check your projects more often (eg right now).
UPD 3: In older versions of Bitrix, there was an unpleasant default: bitrix / php_interface / (dbconn | init). Php - the LOG_FILENAME constant, which you guessed leads to the problems described.
Link: <removed by UFO advice>
Picture: <cleaned by the advice of a UFO>, one and two
In the footer buttons respected ADV and AIC, and it is not clear who is more to blame (and not my goal), the paths seem to be the first, with all due respect to them.
Obvious statements:
And yes, from throwing tomatoes of the species * - * but please refrain, all the same, nothing critical is drained, only emails and the secrets of social network applications.
')
In short, there were SQL queries in the log that were executed with errors. From the logs it was possible to find out some site parameters (secret parts of the keys for social networks), of course, paths with error traces, user emails and some personal information (First Name / Last Name, password reset password check), which can be used for phishing.
UPD: 15:41 Links removed with an insistent hint of a UFO.
UPD 18:30 New pictures
UPD 3: dev.1c-bitrix.ru/api_help/main/functions/debug/addmessage2log.php
Since the owners of the service response in a reasonable amount of time is not received, I am writing here.
Briefly, the essence and purpose of the post: log.txt is bad. Do not forget about it and check your projects more often (eg right now).
UPD 3: In older versions of Bitrix, there was an unpleasant default: bitrix / php_interface / (dbconn | init). Php - the LOG_FILENAME constant, which you guessed leads to the problems described.
Link: <removed by UFO advice>
Picture: <cleaned by the advice of a UFO>, one and two
In the footer buttons respected ADV and AIC, and it is not clear who is more to blame (and not my goal), the paths seem to be the first, with all due respect to them.
Obvious statements:
- it is better to write logs through one hm ..., for example, function
- in a dedicated folder
- with a special extension or other features for simplicity and versatility of blocking access through the web
- ...
And yes, from throwing tomatoes of the species * - * but please refrain, all the same, nothing critical is drained, only emails and the secrets of social network applications.
')
In short, there were SQL queries in the log that were executed with errors. From the logs it was possible to find out some site parameters (secret parts of the keys for social networks), of course, paths with error traces, user emails and some personal information (First Name / Last Name, password reset password check), which can be used for phishing.
UPD: 15:41 Links removed with an insistent hint of a UFO.
UPD 18:30 New pictures
UPD 3: dev.1c-bitrix.ru/api_help/main/functions/debug/addmessage2log.php
Source: https://habr.com/ru/post/165999/
All Articles