January 16, 2013 at 14:19How banks protect your personal data - log.txt
Good day to all.
Since no response has been received from the service owners in a reasonable amount of time, I am writing here.
Briefly the essence and purpose of the post: log.txt is bad. Do not forget about this and often (e.g. right now) check your projects.
UPD 3: There was an unpleasant default in older versions of bitrix: bitrix / php_interface / (dbconn | init) .php - the LOG_FILENAME constant, which you guessed leads to the described problems.
Links: <removed by UFO advice>
Picture: <removed by UFO advice>, once and twice
There are buttons in the footer of respected ADV and AIC, and it’s not clear who is to blame (and not my purpose), it seems that everything still the first, with all due respect to them.
Obvious statements:
And yes, from throwing tomatoes of the type * - * but please refrain, all the same, nothing critical has been merged, only emails and secret applications for social networks.
In short, there were SQL queries in the log that failed. From the logs it was possible to find out some parameters of the site (secret parts of keys for social networks), of course, paths with the error trail, user emails and some personal information (Name / surname, checkword for password recovery) that could be used for phishing.
UPD: 15:41 Links removed on a strong hint of a UFO.
UPD 18:30 New pictures of
UPD 3: dev.1c-bitrix.ru/api_help/main/functions/debug/addmessage2log.php
Since no response has been received from the service owners in a reasonable amount of time, I am writing here.
Briefly the essence and purpose of the post: log.txt is bad. Do not forget about this and often (e.g. right now) check your projects.
UPD 3: There was an unpleasant default in older versions of bitrix: bitrix / php_interface / (dbconn | init) .php - the LOG_FILENAME constant, which you guessed leads to the described problems.
Links: <removed by UFO advice>
Picture: <removed by UFO advice>, once and twice
There are buttons in the footer of respected ADV and AIC, and it’s not clear who is to blame (and not my purpose), it seems that everything still the first, with all due respect to them.
Obvious statements:
- logs are better to write through one hmm ..., for example, a function
- in a dedicated folder
- with a special extension or other features for simplicity and versatility blocking access via the web
- ...
And yes, from throwing tomatoes of the type * - * but please refrain, all the same, nothing critical has been merged, only emails and secret applications for social networks.
In short, there were SQL queries in the log that failed. From the logs it was possible to find out some parameters of the site (secret parts of keys for social networks), of course, paths with the error trail, user emails and some personal information (Name / surname, checkword for password recovery) that could be used for phishing.
UPD: 15:41 Links removed on a strong hint of a UFO.
UPD 18:30 New pictures of
UPD 3: dev.1c-bitrix.ru/api_help/main/functions/debug/addmessage2log.php