Session and CSRF Token: PHP warning

security
testing
server-manager

(Marc) #1

On each server-manager page request, log reports:

PHP Warning: array_unshift() expects parameter 1 to be array, null given in /usr/share/nethesis/Nethgui/Utility/Session.php on line 246
PHP Warning: array_splice() expects parameter 1 to be array, null given in /usr/share/nethesis/Nethgui/Utility/Session.php on line 247

nethserver-httpd-admin-2.2.0-1.ns7.noarch
nethserver-httpd-3.2.0-1.ns7.noarch || nethserver-httpd-3.2.0-1.6.g9917897.ns7.noarch
nethserver-lib-2.2.7-1.ns7.noarch
nethserver-php-1.2.0-1.ns7.noarch


(Davide Principi) #2

You’re right, it’s the kind of mistake that origins from mixing Perl and PHP array programming :unamused:

Workaround: downgrade nethserver-httpd-admin ?


(Davide Principi) #3

The warning message is a symptom of a security regression that makes Server Manager sensible to CSRF attacks. Even if the vulnerability is hard to exploit the best thing to do is to log out from Server Manager and revert the last nethserver-httpd-admin update with the following command

yum --noplugins downgrade nethserver-httpd-admin-2.1.1

The regression is present in version 2.2.0 of nethserver-httpd-admin only. Previous releases are not affected.

For more information see


(Davide Principi) #4

(Davide Principi) #5

The fix is available from nethserver-testing repo /cc @quality_team

yum install http://packages.nethserver.org/nethserver/7.4.1708/testing/x86_64/Packages/nethserver-httpd-admin-2.2.0-1.1.g0defa76.ns7.noarch.rpm

(Davide Principi) #6

The fix has been released in nethserver-updates and sent to mirrors for synchronization:

yum clean all && yum update -y nethserver-httpd-admin-2.2.1

(Alessio Fattorini) #7

Ehm 2 days fix? People be aware that 30 apr and 1 May are kind of vacation here in Italy :slight_smile:
:clap: :clap: for @davidep

Open Source does not wait