SecurityException Status Codes |
It appears CI4.4.3 is setting a 5XX status code for SecurityExceptions. My security people are complaining about this. They (unbelievably) have classified it as a HIGH/cat 1 severity security vulnerability. I think my apps(5 of them) have been doing this for a few years but all of a sudden they are flagging this now for some reason. (They do regular probing of our apps every Sunday)
How can I change this? I set PHP Code: seurity.redirect = true Looking at the SecurityException class the disallowedAction is supposed to be a 403. So my SecurityException invocations should not be setting the status code to 5xx. What else could be?
Simpler is always better
(03-27-2024, 04:26 AM)donpwinston Wrote: It appears CI4.4.3 is setting a 5XX status code for SecurityExceptions. My security people are complaining about this. They (unbelievably) have classified it as a HIGH/cat 1 severity security vulnerability. I think my apps(5 of them) have been doing this for a few years but all of a sudden they are flagging this now for some reason. (They do regular probing of our apps every Sunday) I edited App/Config/Exceptions and replaced the exception handler with a customized SecureExceptionHandler. For status codes 500 and above I set it to 418 or 403. I don't like doing this because I'll have to check it after every upgrade to see if anything changed. ExceptionHandler is a final class. I can't subclass it. I can only just copy it.
Simpler is always better
No, CI4 returns 403 response when a CSRF error happens.
See https://codeigniter4.github.io/CodeIgnit...-exception PHP Code: <?php Code: $ curl -D - -s -o /dev/null http://localhost:8080
Yes but it sends 500 codes for other things. This is not allowed by my security people. Replacing the ExceptionHandler class with my version is the only way I've come up with to fix the problem. Maybe you guys should consider not sending 500 codes for any reason. This requirement is coming from the US Federal Government.
Simpler is always better
What are other things?
If there are exceptions that the framework throws, and the status code is incorrect, we should fix the status code. But developers should catch other exceptions if needed, and handle properly. Yes, when the framework Exception Handler catches Exceptions, the default HTTP status code will be 500. In my opinion, changing the default 500 to 4xx does nothing for security, and 4xx is probably incorrect in most cases. Because 4xx means errors in client side, but most exceptions caused by server side. Can you show the exact requirement coming from the US Federal Government? I don't get why the US Federal Government says such nonsense.
I don't understand why a 500 status code is so bad either. They tell me that it indicates a possible instability in your system that makes it a candidate to be exploited. It is sort of an encouragement to keep on trying to hack your site. But if you eliminate 500's then 400's could be then interpreted as the same thing. So I think it is stupid.
Simpler is always better
Indeed, it would be possible to say that 500 represents system instability.
If exceptions can be caught and recovered, the application should do so. However, if it is a client-side problem, we should return 4xx, and if it is a server-side problem, we should return 5xx. For example, if it cannot connect to the database, we can only return 500. Thus, if the framework throws an exception and returns an inappropriate 500 response, it is a bug in the framework. Please report a bug or send a PR to fix it. |
Welcome Guest, Not a member yet? Register Sign In |