CVE request: Froxlor - information leak

[oss-security-list () demlak de]

Hello,
Please assign a CVE-ID for the following 'Information Leak':

Affects
=====
- Froxlor 0.9.33.1 and earlier

Fixed
====
- Froxlor 0.9.33.2

Summary
========
An unauthenticated remote attacker is able to get the database password 
via webaccess due to wrong file permissions of the /logs/ folder in 
froxlor version 0.9.33.1 and earlier. The plain SQL password and 
username may be stored in the /logs/sql-error.log file. This directory 
is publicly reachable under the default configuration/setup.

Notes
=====
Some default URLs are:
http://website.tld/froxlor/logs/sql-error.log
http://cp.website.tld/logs/sql-error.log
http://froxlor.website.tld/logs/sql-error.log

The certain section looks like this:

/var/www/froxlor/lib/classes/database/class.Database.php(279): 
PDO->__construct('mysql:host=127....', 'DATABASE_USER', 
'PLAIN_DATABASE_PW', Array)

Please note that the password in the logfile is truncated to 15 chars, 
therefore passwords longer than 15 chars are not fully visible to an 
attacker.


Patches
======
- log db errors to syslog instead of /logs/sql-error.log file:

https://github.com/Froxlor/Froxlor/commit/4ec376b29671593a50556630551e04e34bc83c1c
- replace passwords even before logging:

https://github.com/Froxlor/Froxlor/commit/8558533a9148a2a0302c9c177abff8e4e4075b92