Internal server error
Hello,
I have some trouble with Burp-UI right now. Here is a bug report:
Bug summary
Internal server error on home page - can do nothing
Burp
$ burp -v
burp-2.0.54
Sysinfo
$ bui-manage sysinfo
Python version: 2.7.15
Burp-UI version: 0.6.1 (stable)
OS: Linux:4.14.52-145 (posix)
Distribution: Ubuntu 18.04 bionic
Single mode: True
Backend version: 2
WebSocket embedded: False
WebSocket available: False
Config file: /etc/burp/burpui.cfg
Steps to reproduce
- Log in
- Log out
- Try any page
logs
---------------------------[2018-07-12 15:26:56,436]----------------------------
DEBUG in security.basic_login_from_request [/usr/local/lib/python2.7/dist-packages/burpui/security.py:48]:
Found Basic user: admin
--------------------------------------------------------------------------------
---------------------------[2018-07-12 15:26:56,443]----------------------------
ERROR in app.log_exception [/usr/local/lib/python2.7/dist-packages/flask/app.py:1560]:
Exception on / [GET]
--------------------------------------------------------------------------------
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 1982, in wsgi_app
response = self.full_dispatch_request()
File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 1614, in full_dispatch_request
rv = self.handle_user_exception(e)
File "/usr/local/lib/python2.7/dist-packages/flask_restplus/api.py", line 557, in error_router
return original_handler(e)
File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 1517, in handle_user_exception
reraise(exc_type, exc_value, tb)
File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 1610, in full_dispatch_request
rv = self.preprocess_request()
File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 1831, in preprocess_request
rv = func()
File "/usr/local/lib/python2.7/dist-packages/burpui/app.py", line 420, in setup_request
g.locale = get_locale()
File "/usr/local/lib/python2.7/dist-packages/burpui/ext/i18n.py", line 30, in get_locale
if current_user and not current_user.is_anonymous:
File "/usr/lib/python2.7/dist-packages/werkzeug/local.py", line 328, in __bool__
return bool(self._get_current_object())
File "/usr/lib/python2.7/dist-packages/werkzeug/local.py", line 306, in _get_current_object
return self.__local()
File "/usr/local/lib/python2.7/dist-packages/flask_login/utils.py", line 26, in <lambda>
current_user = LocalProxy(lambda: _get_user())
File "/usr/local/lib/python2.7/dist-packages/flask_login/utils.py", line 335, in _get_user
current_app.login_manager._load_user()
File "/usr/local/lib/python2.7/dist-packages/flask_login/login_manager.py", line 355, in _load_user
return self._load_from_request(request)
File "/usr/local/lib/python2.7/dist-packages/flask_login/login_manager.py", line 412, in _load_from_request
user = self.request_callback(request)
File "/usr/local/lib/python2.7/dist-packages/burpui/app.py", line 459, in load_user_from_request
user = basic_login_from_request(request, app)
File "/usr/local/lib/python2.7/dist-packages/burpui/security.py", line 56, in basic_login_from_request
if user.active and user.login(auth.password):
AttributeError: 'NoneType' object has no attribute 'active'
Configuration
# Burp-UI configuration file
# @version@ - 0.6.0
# @release@ - stable
[Global]
# burp server version 1 or 2
version = 2
# handle multiple bui-servers or not
# If set to 'false', you will need to declare at least one 'Agent' section (see
# bellow)
single = true
# authentication plugin (mandatory)
# list the misc/auth directory to see the available backends
# to disable authentication you can set "auth = none"
# you can also chain multiple backends. Example: "auth = ldap,basic"
# the order will be respected unless you manually set a higher backend priority
auth = local
# acl plugin
# list misc/acl directory to see the available backends
# default is no ACL
#acl = basic
# you can change the prefix if you are behind a reverse-proxy under a custom
# root path. For example: /burpui
# You can also configure your reverse-proxy to announce the prefix through the
# 'X-Script-Name' header. In this case, the bellow prefix will be ignored in
# favour of the one announced by your reverse-proxy
prefix = /burp
# list of paths to look for external plugins
plugins = none
[UI]
# refresh interval of the pages in seconds
refresh = 180
# refresh interval of the live-monitoring page in seconds
liverefresh = 5
# list of labels to ignore (you can use regex)
ignore_labels = "color:.*", "custom:.*"
# format label using sed-like syntax
format_labels = "s/^os:\s*//"
# default strip leading path value for file restorations
default_strip = 0
[Production]
# storage backend for session and cache
# may be either 'default' or 'redis'
storage = default
# session database to use
# may also be a backend url like: redis://localhost:6379/0
# if set to 'redis', the backend url defaults to:
# redis://<redis_host>:<redis_port>/0
# where <redis_host> is the host part, and <redis_port> is the port part of
# the below "redis" setting
session = default
# cache database to use
# may also be a backend url like: redis://localhost:6379/0
# if set to 'redis', the backend url defaults to:
# redis://<redis_host>:<redis_port>/1
# where <redis_host> is the host part, and <redis_port> is the port part of
# the below "redis" setting
cache = default
# redis server to connect to
redis = localhost:6379
# whether to use celery or not
# may also be a broker url like: redis://localhost:6379/0
# if set to "true", the broker url defaults to:
# redis://<redis_host>:<redis_port>/2
# where <redis_host> is the host part, and <redis_port> is the port part of
# the above "redis" setting
celery = false
# database url to store some persistent data
# none or a connect string supported by SQLAlchemy:
# http://docs.sqlalchemy.org/en/latest/core/engines.html#database-urls
# example: sqlite:////var/lib/burpui/store.db
database = none
# whether to rate limit the API or not
# may also be a redis url like: redis://localhost:6379/0
# if set to "true" or "redis" or "default", the url defaults to:
# redis://<redis_host>:<redis_port>/3
# where <redis_host> is the host part, and <redis_port> is the port part of
# the above "redis" setting
# Note: the limiter only applies to the API routes
limiter = false
# limiter ratio
# see https://flask-limiter.readthedocs.io/en/stable/#ratelimit-string
ratio = 60/minute
[WebSocket]
## This section contains WebSocket server specific options.
# whether to enable websocket or not
enabled = true
# whether to embed the websocket server or not
# if set to "true", you should have only *one* gunicorn worker
# see here for details:
# https://flask-socketio.readthedocs.io/en/latest/#gunicorn-web-server
embedded = false
# what broker to use to interact between websocket servers
# may be a redis url like: redis://localhost:6379/0
# if set to "true" or "redis" or "default", the url defaults to:
# redis://<redis_host>:<redis_port>/4
# where <redis_host> is the host part, and <redis_port> is the port part of
# the above "redis" setting
# set this to none to disable the broker
broker = redis
# if you choose to run a dedicated websocket server (with embedded = false)
# you can specify here the websocket url. You'll need to double quote your
# string though.
# example:
# url = "document.domain + ':5001'"
url = none
# whether to enable verbose websocket server logs or not (for development)
debug = false
[Security]
## This section contains some security options. Make sure you understand the
## security implications before changing these.
# list of 'root' paths allowed when sourcing files in the configuration.
# Set this to 'none' if you don't want any restrictions, keeping in mind this
# can lead to accessing sensible files. Defaults to '/etc/burp'.
# Note: you can have several paths separated by comas.
# Example: /etc/burp,/etc/burp.d
includes = /etc/burp
# if files already included in config do not respect the above restriction, we
# prune them
enforce = false
# enable certificates revocation
revoke = true
# remember_cookie duration in days
cookietime = 14
# number of days of inactivity before invalidating a session (suppose your
# browser is open for days/months, your session will never expire, unless you
# set this to a positive value)
# if set to 0 sessions will last forever
# Note: this requires the use of a database to work
sessiontime = 5
# whether to use a secure cookie for https or not. If set to false, cookies
# won't have the 'secure' flag.
# This setting is only useful when HTTPS is detected
scookie = true
# application secret to secure cookies. If you don't set anything, the default
# value is 'random' which will generate a new secret after every restart of your
# application. You can also set it to 'none' although this is not recommended.
# /!\ YOU CANNOT USE THE MAGIC 'random' VALUE WHEN USING GUNICORN /!\
appsecret = random
[Experimental]
## This section contains some experimental features that have not been deeply
## tested yet
# enable zip64 feature. Python doc says:
# « ZIP64 extensions are disabled by default because the default zip and unzip
# commands on Unix (the InfoZIP utilities) don’t support these extensions. »
zip64 = false
# disable server initiated restoration if `bconfcli` file contains
# `server_can_restore = 0`
noserverrestore = false
# burp backend specific options
[Burp]
# burp status address (can only be '127.0.0.1' or '::1')
bhost = ::1
# burp status port
bport = 4972
# burp binary
burpbin = /usr/sbin/burp
# vss_strip binary
stripbin = /usr/sbin/vss_strip
# burp client configuration file used for the restoration
bconfcli = /etc/burp/burp.conf
# burp server configuration file used for the setting page
bconfsrv = /etc/burp/burp-server.conf
# temporary directory to use for restoration
tmpdir = /tmp/bui
# how many time to wait for the monitor to answer (in seconds)
timeout = 15
## ldapauth specific options
#[LDAP]
## Backend priority. Higher is first
#priority = 50
## LDAP host
#host = 127.0.0.1
## LDAP port
#port = 389
## Encryption type to LDAP server (none, ssl or tls)
## - try tls if unsure, otherwise ssl on port 636
#encryption = ssl
## specifies if the server certificate must be validated, values can be:
## - none (certificates are ignored)
## - optional (not required, but validated if provided)
## - required (required and validated)
#validate = none
## SSL or TLS version to use, can be one of the following:
## - SSLv2
## - SSLv3
## - SSLv23
## - TLSv1
## - TLSv1_1 (Available only with openssl version 1.0.1+, requires python 2.7.9 or higher)
#version = TLSv1
## the file containing the certificates of the certification authorities
#cafile = none
## Attribute to use when searching the LDAP repository
##searchattr = sAMAccountName
#searchattr = uid
## LDAP filter to find users in the LDAP repository
## - {0} will be replaced by the search attribute
## - {1} will be replaced by the login name
##filter = (&({0}={1})(burpui=1))
##filter = (&({0}={1})(|(userAccountControl=512)(userAccountControl=66048)))
## LDAP base (quotes are mandatory)
#base = "ou=users,dc=example,dc=com"
## Binddn to list existing users (quotes are mandatory)
#binddn = "cn=admin,dc=example,dc=com"
## Bindpw to list existing users
#bindpw = Sup3rS3cr3tPa$$w0rd
## basicauth specific options
## Note: in case you leave this section commented, the default login/password
## is admin/admin
#[BASIC]
## Backend priority. Higher is first
#priority = 100
#admin = password
#user1 = otherpassword
# localauth specific options
# Note: if not running as root, then burp-ui must be run as group 'shadow' to
# allow PAM to work
[LOCAL]
# Backend priority. Higher is first
priority = 10
# List of local users allowed to login. If you don't set this setting, users
# with uid greater than limit will be able to login
#users = user1,user2
users = nigel,sandy
# Minimum uid that will be allowed to login
limit = 1000
## acl engine global options
#[ACL]
## Enable extended matching rules (enabled by default)
## If the rule is a string like 'user1 = desk*', it will match any client that
## matches 'desk*' no mater what agent it is attached to.
## If it is a coma separated list of strings like 'user1 = desk*,laptop*' it
## will match the first matching rule no mater what agent it is attached to.
## If it is a dict like:
## user1 = '{"agents": ["srv*", "www*"], "clients": ["desk*", "laptop*"]}'
## It will also validate against the agent name.
#extended = true
## If you don't explicitly specify ro/rw grants, what should we assume?
#assume_rw = true
## Enable 'legacy' behavior
## Since v0.6.0, if you don't specify the agents name explicitly, users will be
## granted on every agents where a client matches user's ACL. If you enable the
## 'legacy' behavior, you will need to specify the agents explicitly.
## Note: enabling this option will also disable the extended mode
#legacy = false
## The inheritance order maters, it means depending the order you choose,
## the ACL engine won't handle the grants the same way.
## By default, ACL inherited by groups will have lower priority, unless you
## choose otherwise
#inverse_inheritance = false
## If you specify agents and clients separately, should we link them implicitly?
## For instance, '{"agents": ["agent1", "agent2"], "clients": ["client1", "client2"]}'
## will become: '{"agents": {"agent1": ["client1", "client2"], "agent2": ["client1", "client2"]}}'
#implicit_link = true
## basicacl specific options
## Note: in case you leave this section commented, the user 'admin' will have
## access to all clients whereas other users will only see the client that have
## the same name
#[BASIC:ACL]
## Backend priority. Higher is first
#priority = 100
## List of administrators
#admin = user1,user2
## List of moderators. Users listed here will inherit the grants of the
## 'virtual' user '@moderator'
#+moderator = user5,user6
#@moderator = '{"agents":{"ro":["agent1"]}}'
## NOTE: if you are running single-agent mode, you should specify the ro/rw
## rights of the moderators using this special 'local' agent name:
## NOTE: this is the default when running single-agent mode if you don't
## specify anything else
##@moderator = '{"agents": {"rw": "local"}}'
## Please note the double-quotes and single-quotes on the following lines are
## mandatory!
## You can also overwrite the default behavior by specifying which clients a
## user can access
## Suppose you are running single-agent mode (the default), you only need to
## specify a list of clients a user can access:
#user3 = '{"clients": {"ro": ["prod*"], "rw": ["dev*", "test1"]}}'
## In case you are not in a single mode, you can also specify which clients
## a user can access on a specific Agent
#user4 = '{"agents": {"agent1": ["client6", "client7"], "agent2": ["client8"]}}'
## You can define read-only and/or read-write grants using:
#user5 = '{"agents": {"www*": {"ro": ["desk*"], "rw": ["desk1"]}}}'
## Finally, you can define groups using the syntax "@groupname" and adding
## members using "+groupname". Note: groups can inherit groups!
#@group1 = '{"agents": {"ro": ["*"]}}'
#@group2 = '{"clients": {"rw": ["dev*"]}}'
#+group1 = @group2
#+group2 = user5
## As a result, user5 will be granted the following rights:
## '{"ro": {"agents": ["*", "agent1"], "www*": ["desk*"]}, "rw": {"clients": ["dev*"], "www*": ["desk1"]}}
## If you set single to 'false', add at least one section like this per
## bui-agent
#[Agent:agent1]
## bui-agent address
#host = 192.168.1.1
## bui-agent port
#port = 10000
## bui-agent password
#password = azerty
## enable SSL
#ssl = true
#[Agent:agent2]
## bui-agent address
#host = 192.168.2.1
## bui-agent port
#port = 10000
## bui-agent password
#password = ytreza
## enable SSL
#ssl = true
Thanks