Date: Wed, 29 Jul 2015 16:53:41 +0200 From: oss-security-list@...lak.de To: oss-security@...ts.openwall.com Subject: CVE request: Froxlor - information leak Hello, Please assign a CVE-ID for the following 'Information Leak': Affects ===== - Froxlor 0.9.33.1 and earlier Fixed ==== - Froxlor 0.9.33.2 Summary ======== An unauthenticated remote attacker is able to get the database password via webaccess due to wrong file permissions of the /logs/ folder in froxlor version 0.9.33.1 and earlier. The plain SQL password and username may be stored in the /logs/sql-error.log file. This directory is publicly reachable under the default configuration/setup. Notes ===== Some default URLs are: http://website.tld/froxlor/logs/sql-error.log http://cp.website.tld/logs/sql-error.log http://froxlor.website.tld/logs/sql-error.log The certain section looks like this: /var/www/froxlor/lib/classes/database/class.Database.php(279): PDO->__construct('mysql:host=127....', 'DATABASE_USER', 'PLAIN_DATABASE_PW', Array) Please note that the password in the logfile is truncated to 15 chars, therefore passwords longer than 15 chars are not fully visible to an attacker. Patches ====== - log db errors to syslog instead of /logs/sql-error.log file: https://github.com/Froxlor/Froxlor/commit/4ec376b29671593a50556630551e04e34bc83c1c - replace passwords even before logging: https://github.com/Froxlor/Froxlor/commit/8558533a9148a2a0302c9c177abff8e4e4075b92
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.