Page MenuHomeVulnz

Error message reveals information about some internal data structure



When passing specific parameters to a page which displays receipts, Giga shows an error message and prints out an array showing a list of fields, maybe detailing a database structure or some other sort of internal structure.

Reproduction steps

  1. Open (it doesn't matter whether you have logged in).

Screenshot 2019-03-14 at 15.27.37.png (1×1 px, 286 KB)

Severity of the vulnerability

This is not a severe vulnerability, and I don't even think this could be considered as a security vulnerability alone, because it cannot be used to directly exploit the system in any way. Despite this, I think this would allow an attacker to have a better understanding of how the system works internally and it would make it easier for them to find other vulnerabilities.

What should be done?

The array printed should be removed from the page.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.


Universitat de Barcelona
Mar 18 2019, 12:47 AM

Event Timeline

avm99963 triaged this task as Priority-3 priority.Mar 14 2019, 3:26 PM
avm99963 created this task.
avm99963 set Reported to Mar 18 2019, 12:47 AM.Mar 18 2019, 12:52 AM

The third party says the vulnerability is fixed and I could verify it too, so I'm publishing the vulnerability.

avm99963 changed the visibility from "Restricted Project (Project)" to "Public (No Login Required)".Mar 19 2019, 6:26 PM