[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE request: Froxlor - information leak
From: oss-security-list () demlak ! de
Date: 2015-07-29 14:53:41
Message-ID: 55B8E8F5.5010003 () demlak ! de
[Download RAW message or body]
Hello,
Please assign a CVE-ID for the following 'Information Leak':
Affects
=====
- Froxlor 0.9.33.1 and earlier
Fixed
====
- Froxlor 0.9.33.2
Summary
========
An unauthenticated remote attacker is able to get the database password
via webaccess due to wrong file permissions of the /logs/ folder in
froxlor version 0.9.33.1 and earlier. The plain SQL password and
username may be stored in the /logs/sql-error.log file. This directory
is publicly reachable under the default configuration/setup.
Notes
=====
Some default URLs are:
http://website.tld/froxlor/logs/sql-error.log
http://cp.website.tld/logs/sql-error.log
http://froxlor.website.tld/logs/sql-error.log
The certain section looks like this:
/var/www/froxlor/lib/classes/database/class.Database.php(279):
PDO->__construct('mysql:host=127....', 'DATABASE_USER',
'PLAIN_DATABASE_PW', Array)
Please note that the password in the logfile is truncated to 15 chars,
therefore passwords longer than 15 chars are not fully visible to an
attacker.
Patches
======
- log db errors to syslog instead of /logs/sql-error.log file:
https://github.com/Froxlor/Froxlor/commit/4ec376b29671593a50556630551e04e34bc83c1c
- replace passwords even before logging:
https://github.com/Froxlor/Froxlor/commit/8558533a9148a2a0302c9c177abff8e4e4075b92
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic