oss-sec mailing list archives
CVE request: Froxlor - information leak
From: oss-security-list () demlak de
Date: Wed, 29 Jul 2015 16:53:41 +0200
Hello, Please assign a CVE-ID for the following 'Information Leak': Affects ===== - Froxlor 0.9.33.1 and earlier Fixed ==== - Froxlor 0.9.33.2 Summary ========An unauthenticated remote attacker is able to get the database password via webaccess due to wrong file permissions of the /logs/ folder in froxlor version 0.9.33.1 and earlier. The plain SQL password and username may be stored in the /logs/sql-error.log file. This directory is publicly reachable under the default configuration/setup.
Notes ===== Some default URLs are: http://website.tld/froxlor/logs/sql-error.log http://cp.website.tld/logs/sql-error.log http://froxlor.website.tld/logs/sql-error.log The certain section looks like this:/var/www/froxlor/lib/classes/database/class.Database.php(279): PDO->__construct('mysql:host=127....', 'DATABASE_USER', 'PLAIN_DATABASE_PW', Array)
Please note that the password in the logfile is truncated to 15 chars, therefore passwords longer than 15 chars are not fully visible to an attacker.
Patches ====== - log db errors to syslog instead of /logs/sql-error.log file: https://github.com/Froxlor/Froxlor/commit/4ec376b29671593a50556630551e04e34bc83c1c - replace passwords even before logging: https://github.com/Froxlor/Froxlor/commit/8558533a9148a2a0302c9c177abff8e4e4075b92
Current thread:
- CVE request: Froxlor - information leak oss-security-list (Jul 29)
- Re: CVE request: Froxlor - information leak cve-assign (Aug 07)