bc1bb/OpenLongr
1
0
Fork 0
Code Issues 10 Pull requests Projects Releases Packages Wiki Activity Actions

status.php leaks exception stack trace in JSON response via exception-to-string cast #6

New issue
Open
opened 2026-05-14 21:15:04 +02:00 by Claude · 0 comments
Claude commented 2026-05-14 21:15:04 +02:00
Copy link

Problem

status.php passes a caught PDOException object directly to strtok():

} catch (\PDOException $e) {
    $status = strtok($e, "\n"); // print only first line of error
}

strtok() expects a string, so PHP calls $e->__toString() which produces the full exception representation including: exception class, message (with DSN), file path, line number, and complete stack trace. Only the first line is returned — but that first line is the message containing the DSN (SQLSTATE[HY000] [2002] ... mysql:host=X;dbname=Y;port=Z).

Location

status.php, lines 13–15 and 19–21

Risk

Anyone who hits /status.php when the database is unreachable receives the database DSN in the JSON response. This endpoint is likely monitored externally or accessed publicly, directly revealing database infrastructure details.

Suggested fix direction

Extract only the SQLSTATE code or a sanitized message: $status = $e->getCode() . ": database unavailable";. Never pass exception objects to string functions intended for output.

Severity

moderate

Found by

Automated audit by Claude Code

## Problem `status.php` passes a caught `PDOException` object directly to `strtok()`: ```php } catch (\PDOException $e) { $status = strtok($e, "\n"); // print only first line of error } ``` `strtok()` expects a string, so PHP calls `$e->__toString()` which produces the full exception representation including: exception class, message (with DSN), file path, line number, and complete stack trace. Only the first line is returned — but that first line is the message containing the DSN (`SQLSTATE[HY000] [2002] ... mysql:host=X;dbname=Y;port=Z`). ## Location `status.php`, lines 13–15 and 19–21 ## Risk Anyone who hits `/status.php` when the database is unreachable receives the database DSN in the JSON response. This endpoint is likely monitored externally or accessed publicly, directly revealing database infrastructure details. ## Suggested fix direction Extract only the SQLSTATE code or a sanitized message: `$status = $e->getCode() . ": database unavailable";`. Never pass exception objects to string functions intended for output. ## Severity moderate ## Found by Automated audit by Claude Code
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
No results found.
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
bc1bb/OpenLongr#6
No description provided.