From 039e62f9dce802a9723dbad83a2865eba6d67c17 Mon Sep 17 00:00:00 2001 From: junovitch Date: Thu, 13 Aug 2015 02:07:33 +0000 Subject: Document Froxlor database password information disclosure vulnerability PR: 202262 Security: CVE-2015-5959 Security: 9ee72858-4159-11e5-93ad-002590263bf5 Approved by: feld (mentor) --- security/vuxml/vuln.xml | 40 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) (limited to 'security') diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index 8f85c77f0564..24171456f298 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -58,6 +58,46 @@ Notes: --> + + froxlor -- database password information leak + + + froxlor + 0.9.33.2 + + + + +

oss-security-list@demlak.de reports:

+
An unauthenticated remote attacker is able to get the database + password via webaccess due to wrong file permissions of the /logs/ + folder in froxlor version 0.9.33.1 and earlier. The plain SQL + password and username may be stored in the /logs/sql-error.log file. + This directory is publicly reachable under the default + configuration/setup.
+

Note that froxlor 0.9.33.2 prevents future logging of passwords but + does not retroactively remove passwords already logged. Michael + Kaufmann, the Froxlor lead developer reports:

+
Removing all .log files from the directory should do the job, + alternatively just use the class.ConfigIO.php from Github
+

+ + + + CVE-2015-5959 + ports/202262 + http://seclists.org/oss-sec/2015/q3/238 + https://forum.froxlor.org/index.php/topic/13054-important-bugfix-release-09332/ + + + 2015-07-29 + 2015-08-13 + + + RT -- two XSS vulnerabilities -- cgit