Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 29 Jul 2015 16:53:41 +0200
From: oss-security-list@...lak.de
To: oss-security@...ts.openwall.com
Subject: CVE request: Froxlor - information leak

Hello,
Please assign a CVE-ID for the following 'Information Leak':

Affects
=====
- Froxlor 0.9.33.1 and earlier

Fixed
====
- Froxlor 0.9.33.2

Summary
========
An unauthenticated remote attacker is able to get the database password 
via webaccess due to wrong file permissions of the /logs/ folder in 
froxlor version 0.9.33.1 and earlier. The plain SQL password and 
username may be stored in the /logs/sql-error.log file. This directory 
is publicly reachable under the default configuration/setup.

Notes
=====
Some default URLs are:
http://website.tld/froxlor/logs/sql-error.log
http://cp.website.tld/logs/sql-error.log
http://froxlor.website.tld/logs/sql-error.log

The certain section looks like this:

/var/www/froxlor/lib/classes/database/class.Database.php(279): 
PDO->__construct('mysql:host=127....', 'DATABASE_USER', 
'PLAIN_DATABASE_PW', Array)

Please note that the password in the logfile is truncated to 15 chars, 
therefore passwords longer than 15 chars are not fully visible to an 
attacker.


Patches
======
- log db errors to syslog instead of /logs/sql-error.log file:
 
https://github.com/Froxlor/Froxlor/commit/4ec376b29671593a50556630551e04e34bc83c1c
- replace passwords even before logging:
 
https://github.com/Froxlor/Froxlor/commit/8558533a9148a2a0302c9c177abff8e4e4075b92

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ