2.1.5 Security Issue on Place Admin

[FrankWarius]

from Website logs; 2022-06-10 01:59:44 | error | 138.201.11.237 | none | none

no no more Website logs entries for 138.201.11.237 but IIS log entries. No user was logiged n at this time

how could this happen?

IIS Log Error 2022-06-09 23:59:44 85.214.164.127 GET /index.php - 443 - 138.201.11.237 Mozilla/5.0+(X11;+Linux+x86_64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/87.0.4280.67+Safari/537.36 - 500 0 0 2815

Website logs error: SQLSTATE[23000]: Integrity constraint violation: 1062 Duplicate entry '23643-2-Ahrensbök' for key 'ux1' (SQL: insert into wt2_places (p_file, p_place, p_parent_id, p_std_soundex, p_dm_soundex) values (2, Ahrensbök, 23643, A652, 059647:096475)) …\vendor\illuminate\database\Connection.php:712 #0 …\vendor\illuminate\database\Connection.php(672): Illuminate\Database\Connection->runQueryCallback('insert into wt...', Array, Object(Closure)) #1 …\vendor\illuminate\database\Connection.php(502): Illuminate\Database\Connection->run('insert intowt...', Array, Object(Closure)) #2 …\vendor\illuminate\database\Connection.php(454): Illuminate\Database\Connection->statement('insert into wt...', Array) #3 …\vendor\illuminate\database\Query\Builder.php(2980): Illuminate\Database\Connection->insert('insert intowt...', Array) #4 …\app\Place.php(141): Illuminate\Database\Query\Builder->insert(Array) #5 …\app\Cache.php(60): Fisharebest\Webtrees\Place->Fisharebest\Webtrees{closure}() #6 …\vendor\symfony\cache\Adapter\ArrayAdapter.php(84): Fisharebest\Webtrees\Cache::Fisharebest\Webtrees{closure}(Object(Symfony\Component\Cache\CacheItem), true) #7 …\app\Cache.php(61): Symfony\Component\Cache\Adapter\ArrayAdapter->get('07582e21abab4d6...', Object(Closure)) #8 …\app\Place.php(148): Fisharebest\Webtrees\Cache->remember('place-Ahrensb\xC3\xB6...', Object(Closure)) #9 …\app\Place.php(223): Fisharebest\Webtrees\Place->id() #10 …\app\Place.php(300): Fisharebest\Webtrees\Place->url() #11 …\resources\views\lists\individuals-table.phtml(328): Fisharebest\Webtrees\Place->shortName(true) #12 …\app\View.php(183): include('D:\Web\WT21 Pro...') #13 …\app\View.php(278): Fisharebest\Webtrees\View->render() #14 …\app\Helpers\functions.php(145): Fisharebest\Webtrees\View::make('lists/individua...', Array) #15 …\resources\views\record-page-links.phtml(117): view('lists/individua...', Array) #16 …\app\View.php(183): include('D:\Web\WT21 Pro...') #17 …\app\View.php(278): Fisharebest\Webtrees\View->render() #18 …\app\Helpers\functions.php(145): Fisharebest\Webtrees\View::make('record-page-lin...', Array) #19 …\resources\views\record-page.phtml(55): view('record-page-lin...', Array) #20 …\app\View.php(183): include('D:\Web\WT21 Pro...') #21 …\app\View.php(278): Fisharebest\Webtrees\View->render() #22 …\app\Helpers\functions.php(145): Fisharebest\Webtrees\View::make('record-page', Array) #23 …\app\Http\ViewResponseTrait.php(50): view('record-page', Array) #24 …\app\Http\RequestHandlers\SourcePage.php(90): Fisharebest\Webtrees\Http\RequestHandlers\SourcePage->viewResponse('record-page', Array) #25 …\app\Http\Middleware\RequestHandler.php(54): Fisharebest\Webtrees\Http\RequestHandlers\SourcePage->handle(Object(Nyholm\Psr7\ServerRequest)) #26 …\vendor\oscarotero\middleland\src\Dispatcher.php(136): Fisharebest\Webtrees\Http\Middleware\RequestHandler->process(Object(Nyholm\Psr7\ServerRequest), Object(Middleland\Dispatcher)) #27 …\app\Module\HitCountFooterModule.php(154): Middleland\Dispatcher->handle(Object(Nyholm\Psr7\ServerRequest)) #28 …\vendor\oscarotero\middleland\src\Dispatcher.php(136): Fisharebest\Webtrees\Module\HitCountFooterModule->process(Object(Nyholm\Psr7\ServerRequest), Object(Middleland\Dispatcher)) #29 …\app\Module\CheckForNewVersion.php(115): Middleland\Dispatcher->handle(Object(Nyholm\Psr7\ServerRequest)) #30 …\vendor\oscarotero\middleland\src\Dispatcher.php(136): Fisharebest\Webtrees\Module\CheckForNewVersion->process(Object(Nyholm\Psr7\ServerRequest), Object(Middleland\Dispatcher)) #31 …\app\Http\Middleware\CheckCsrf.php(80): Middleland\Dispatcher->handle(Object(Nyholm\Psr7\ServerRequest)) #32 …\vendor\oscarotero\middleland\src\Dispatcher.php(136): Fisharebest\Webtrees\Http\Middleware\CheckCsrf->process(Object(Nyholm\Psr7\ServerRequest), Object(Middleland\Dispatcher)) #33 …\vendor\oscarotero\middleland\src\Dispatcher.php(118): Middleland\Dispatcher->handle(Object(Nyholm\Psr7\ServerRequest)) #34 …\app\Webtrees.php(275): Middleland\Dispatcher->dispatch(Object(Nyholm\Psr7\ServerRequest)) #35 …\app\Http\Middleware\Router.php(153): Fisharebest\Webtrees\Webtrees::dispatch(Object(Nyholm\Psr7\ServerRequest), Array) #36 …\vendor\oscarotero\middleland\src\Dispatcher.php(136): Fisharebest\Webtrees\Http\Middleware\Router->process(Object(Nyholm\Psr7\ServerRequest), Object(Middleland\Dispatcher)) #37 …\app\Http\Middleware\BootModules.php(60): Middleland\Dispatcher->handle(Object(Nyholm\Psr7\ServerRequest)) #38 …\vendor\oscarotero\middleland\src\Dispatcher.php(136): Fisharebest\Webtrees\Http\Middleware\BootModules->process(Object(Nyholm\Psr7\ServerRequest), Object(Middleland\Dispatcher)) #39 …\app\Http\Middleware\RegisterGedcomTags.php(54): Middleland\Dispatcher->handle(Object(Nyholm\Psr7\ServerRequest)) #40 …\vendor\oscarotero\middleland\src\Dispatcher.php(136): Fisharebest\Webtrees\Http\Middleware\RegisterGedcomTags->process(Object(Nyholm\Psr7\ServerRequest), Object(Middleland\Dispatcher)) #41 …\app\Http\Middleware\LoadRoutes.php(75): Middleland\Dispatcher->handle(Object(Nyholm\Psr7\ServerRequest)) #42 …\vendor\oscarotero\middleland\src\Dispatcher.php(136): Fisharebest\Webtrees\Http\Middleware\LoadRoutes->process(Object(Nyholm\Psr7\ServerRequest), Object(Middleland\Dispatcher)) #43 …\app\Http\Middleware\CheckForNewVersion.php(65): Middleland\Dispatcher->handle(Object(Nyholm\Psr7\ServerRequest)) #44 …\vendor\oscarotero\middleland\src\Dispatcher.php(136): Fisharebest\Webtrees\Http\Middleware\CheckForNewVersion->process(Object(Nyholm\Psr7\ServerRequest), Object(Middleland\Dispatcher)) #45 …\app\Http\Middleware\UseTransaction.php(45): Middleland\Dispatcher->handle(Object(Nyholm\Psr7\ServerRequest)) #46 …\vendor\illuminate\database\Concerns\ManagesTransactions.php(29): Fisharebest\Webtrees\Http\Middleware\UseTransaction::Fisharebest\Webtrees\Http\Middleware{closure}(Object(Illuminate\Database\MySqlConnection)) #47 …\app\Http\Middleware\UseTransaction.php(46): Illuminate\Database\Connection->transaction(Object(Closure), 3) #48 …\vendor\oscarotero\middleland\src\Dispatcher.php(136): Fisharebest\Webtrees\Http\Middleware\UseTransaction->process(Object(Nyholm\Psr7\ServerRequest), Object(Middleland\Dispatcher)) #49 …\app\Http\Middleware\DoHousekeeping.php(73): Middleland\Dispatcher->handle(Object(Nyholm\Psr7\ServerRequest)) #50 …\vendor\oscarotero\middleland\src\Dispatcher.php(136): Fisharebest\Webtrees\Http\Middleware\DoHousekeeping->process(Object(Nyholm\Psr7\ServerRequest), Object(Middleland\Dispatcher)) #51 …\app\Http\Middleware\UseTheme.php(69): Middleland\Dispatcher->handle(Object(Nyholm\Psr7\ServerRequest)) #52 …\vendor\oscarotero\middleland\src\Dispatcher.php(136): Fisharebest\Webtrees\Http\Middleware\UseTheme->process(Object(Nyholm\Psr7\ServerRequest), Object(Middleland\Dispatcher)) #53 …\app\Http\Middleware\CheckForMaintenanceMode.php(51): Middleland\Dispatcher->handle(Object(Nyholm\Psr7\ServerRequest)) #54 …\vendor\oscarotero\middleland\src\Dispatcher.php(136): Fisharebest\Webtrees\Http\Middleware\CheckForMaintenanceMode->process(Object(Nyholm\Psr7\ServerRequest), Object(Middleland\Dispatcher)) #55 …\app\Http\Middleware\UseLanguage.php(71): Middleland\Dispatcher->handle(Object(Nyholm\Psr7\ServerRequest)) #56 …\vendor\oscarotero\middleland\src\Dispatcher.php(136): Fisharebest\Webtrees\Http\Middleware\UseLanguage->process(Object(Nyholm\Psr7\ServerRequest), Object(Middleland\Dispatcher)) #57 …\app\Http\Middleware\UseSession.php(78): Middleland\Dispatcher->handle(Object(Nyholm\Psr7\ServerRequest)) #58 …\vendor\oscarotero\middleland\src\Dispatcher.php(136): Fisharebest\Webtrees\Http\Middleware\UseSession->process(Object(Nyholm\Psr7\ServerRequest), Object(Middleland\Dispatcher)) #59 …\app\Http\Middleware\UpdateDatabaseSchema.php(57): Middleland\Dispatcher->handle(Object(Nyholm\Psr7\ServerRequest)) #60 …\vendor\oscarotero\middleland\src\Dispatcher.php(136): Fisharebest\Webtrees\Http\Middleware\UpdateDatabaseSchema->process(Object(Nyholm\Psr7\ServerRequest), Object(Middleland\Dispatcher)) #61 …\app\Http\Middleware\UseDatabase.php(118): Middleland\Dispatcher->handle(Object(Nyholm\Psr7\ServerRequest)) #62 …\vendor\oscarotero\middleland\src\Dispatcher.php(136): Fisharebest\Webtrees\Http\Middleware\UseDatabase->process(Object(Nyholm\Psr7\ServerRequest), Object(Middleland\Dispatcher)) #63 …\app\Http\Middleware\BadBotBlocker.php(233): Middleland\Dispatcher->handle(Object(Nyholm\Psr7\ServerRequest)) #64 …\vendor\oscarotero\middleland\src\Dispatcher.php(136): Fisharebest\Webtrees\Http\Middleware\BadBotBlocker->process(Object(Nyholm\Psr7\ServerRequest), Object(Middleland\Dispatcher)) #65 …\app\Http\Middleware\CompressResponse.php(73): Middleland\Dispatcher->handle(Object(Nyholm\Psr7\ServerRequest)) #66 …\vendor\oscarotero\middleland\src\Dispatcher.php(136): Fisharebest\Webtrees\Http\Middleware\CompressResponse->process(Object(Nyholm\Psr7\ServerRequest), Object(Middleland\Dispatcher)) #67 …\app\Http\Middleware\ContentLength.php(40): Middleland\Dispatcher->handle(Object(Nyholm\Psr7\ServerRequest)) #68 …\vendor\oscarotero\middleland\src\Dispatcher.php(136): Fisharebest\Webtrees\Http\Middleware\ContentLength->process(Object(Nyholm\Psr7\ServerRequest), Object(Middleland\Dispatcher)) #69 …\vendor\middlewares\client-ip\src\ClientIp.php(65): Middleland\Dispatcher->handle(Object(Nyholm\Psr7\ServerRequest)) #70 …\app\Http\Middleware\ClientIp.php(47): Middlewares\ClientIp->process(Object(Nyholm\Psr7\ServerRequest), Object(Middleland\Dispatcher)) #71 …\vendor\oscarotero\middleland\src\Dispatcher.php(136): Fisharebest\Webtrees\Http\Middleware\ClientIp->process(Object(Nyholm\Psr7\ServerRequest), Object(Middleland\Dispatcher)) #72 …\app\Http\Middleware\HandleExceptions.php(90): Middleland\Dispatcher->handle(Object(Nyholm\Psr7\ServerRequest)) #73 …\vendor\oscarotero\middleland\src\Dispatcher.php(136): Fisharebest\Webtrees\Http\Middleware\HandleExceptions->process(Object(Nyholm\Psr7\ServerRequest), Object(Middleland\Dispatcher)) #74 …\app\Http\Middleware\BaseUrl.php(79): Middleland\Dispatcher->handle(Object(Nyholm\Psr7\ServerRequest)) #75 …\vendor\oscarotero\middleland\src\Dispatcher.php(136): Fisharebest\Webtrees\Http\Middleware\BaseUrl->process(Object(Nyholm\Psr7\ServerRequest), Object(Middleland\Dispatcher)) #76 …\app\Http\Middleware\ReadConfigIni.php(68): Middleland\Dispatcher->handle(Object(Nyholm\Psr7\ServerRequest)) #77 …\vendor\oscarotero\middleland\src\Dispatcher.php(136): Fisharebest\Webtrees\Http\Middleware\ReadConfigIni->process(Object(Nyholm\Psr7\ServerRequest), Object(Middleland\Dispatcher)) #78 …\app\Http\Middleware\SecurityHeaders.php(48): Middleland\Dispatcher->handle(Object(Nyholm\Psr7\ServerRequest)) #79 …\vendor\oscarotero\middleland\src\Dispatcher.php(136): Fisharebest\Webtrees\Http\Middleware\SecurityHeaders->process(Object(Nyholm\Psr7\ServerRequest), Object(Middleland\Dispatcher)) #80 …\app\Http\Middleware\EmitResponse.php(57): Middleland\Dispatcher->handle(Object(Nyholm\Psr7\ServerRequest)) #81 …\vendor\oscarotero\middleland\src\Dispatcher.php(136): Fisharebest\Webtrees\Http\Middleware\EmitResponse->process(Object(Nyholm\Psr7\ServerRequest), Object(Middleland\Dispatcher)) #82 …\vendor\oscarotero\middleland\src\Dispatcher.php(118): Middleland\Dispatcher->handle(Object(Nyholm\Psr7\ServerRequest)) #83 …\app\Webtrees.php(275): Middleland\Dispatcher->dispatch(Object(Nyholm\Psr7\ServerRequest)) #84 …\app\Webtrees.php(262): Fisharebest\Webtrees\Webtrees::dispatch(Object(Nyholm\Psr7\ServerRequest), Array) #85 …\index.php(51): Fisharebest\Webtrees\Webtrees->httpRequest() #86 {main}

[FrankWarius]

the database itself seems to be ok:

[fisharebest]

Does your data contain both Ahrensbök and Ahrensbok?

[FrankWarius]

no. See the above screenshot of the DB. Only to entries starting with 'Ahrens'

[FrankWarius]

As you can see, both places have the same Soundex value. Ahrenshoop is in Western Pomerania, Ahrensbök in Schleswig-Holstein. I think we had problems with umlauts / code pages about 5 years ago. Some 1.x stuff we solved.

Why I'm afraid it's a security issue:

• Place entries in _places are created when an INDI or FAM tag is created or edited. You need update rights for this.
• Place entries are changed or deleted using the Admin\Place function. You need admin rights for this
• The session from the IP address 138.201.11.237 was not logged in and therefore only had visitor rights without admin or update rights.

Should there now be other code paths that insert into the _places table, that would be OK for me and not a security issue.

[fisharebest]

Entries in this table are created when they are first used.

This one was created while viewing the individual list.

Does your data contain both Ahrensbök and Ahrensbok?

You didn't answer this question.

Due to collation rules, only one of these can be stored. If you have both, the second will fail with the error above....

[FrankWarius]

0 enties for Ahrensbok

1 entry for Ahrensbök,

last changed before the incident in 2015 (the log entry is from the next day)

[FrankWarius]

in the last place Export / Backup 2022-05-23 Places Global.csv there is no Ahrensb%k entry.

[FrankWarius]

I think the case is understandable and it's not a security issue.

• About 5 years ago a Webtree 1.x Release DB migration crashed several times. The reason was places with umlauts. The workaround was to delete these incorrect ones from the _places table and to restart the migration.
• If this place is later called up for display, the corresponding entry in the _places table is inserted, regardless of whether it is called up by a guest or a logged-in user.

I just successfully tested this with Eckernförde.

The question remains why the insert was made twice and led to an error entry in the log. From my point of view there are more urgent problems and we can close this issue.