Date: Wed, 29 Jul 2015 16:53:41 +0200 From: oss-security-list@...lak.de To: oss-security@...ts.openwall.com Subject: CVE request: Froxlor - information leak Hello, Please assign a CVE-ID for the following 'Information Leak': Affects ===== - Froxlor 0.9.33.1 and earlier Fixed ==== - Froxlor 0.9.33.2 Summary ======== An unauthenticated remote attacker is able to get the database password via webaccess due to wrong file permissions of the /logs/ folder in froxlor version 0.9.33.1 and earlier. The plain SQL password and username may be stored in the /logs/sql-error.log file. This directory is publicly reachable under the default configuration/setup. Notes ===== Some default URLs are: http://website.tld/froxlor/logs/sql-error.log http://cp.website.tld/logs/sql-error.log http://froxlor.website.tld/logs/sql-error.log The certain section looks like this: /var/www/froxlor/lib/classes/database/class.Database.php(279): PDO->__construct('mysql:host=127....', 'DATABASE_USER', 'PLAIN_DATABASE_PW', Array) Please note that the password in the logfile is truncated to 15 chars, therefore passwords longer than 15 chars are not fully visible to an attacker. Patches ====== - log db errors to syslog instead of /logs/sql-error.log file: https://github.com/Froxlor/Froxlor/commit/4ec376b29671593a50556630551e04e34bc83c1c - replace passwords even before logging: https://github.com/Froxlor/Froxlor/commit/8558533a9148a2a0302c9c177abff8e4e4075b92
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ