Open findlabnet opened 4 months ago
@findlabnet interesting, but a little hard to reproduce without Windows (which I don't have). Is there any other way to trigger such a notice in locale? I wasn't able to.
The above functions use the global $language object without checking for its existence / initialization.
The $language
global gets initialized in backdrop_bootstrap() in step BACKDROP_BOOTSTRAP_LANGUAGE, which happens before the full boostrap is done - that's quite early.
I'd assume that any later function can safely rely on the existence of $language
and shouldn't have to do extra checks.
There might be edge cases though, where backdrop_language_initialize() didn't run, yet. Hard to know without steps to reproduce.
I do not have Windows too and there is no direct relation with, just logged cracking attempts.
I do not have Windows too and there is no direct relation...
Ah, OK, but you did see this Notice: Trying to get property...
nagging. So this should (somehow) be reproducible. But how? Calling the posted URLs doesn't seem to be sufficient (tried with wget and curl).
It may not have been related to CVE, but I saw such attempts more than once after that. I have not tried to reproduce it myself.
I tried on a preview site for a PR. Only the last URL logs (and shows) a Page not found error; the first two just redirect me to the front page.
That is different from what the quoted Apache log shows (a redirect for the first and third URLs).
Start part of URL used by attacker can be not only /index.php?%ADd+...
but also /test.php?%ADd+...
and /hello.world?%ADd+...
If no one else has seen it, the issue can be closed.
Description of the bug
Today I've seen possible attempts to exploit CVE-2024-4577 on some sites.
From Apache log:
Then dblog events:
The above functions use the global $language object without checking for its existence / initialization.
Should such a check be added?
Additional information
Add any other information that could help, such as: