View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0013500||Tine 2.0||Setup||public||2017-09-29 11:46||2018-01-23 09:37|
|Priority||normal||Severity||major||Reproducibility||have not tried|
|Platform||VMware Virtual Machine||OS||Ubuntu Linux||OS Version||16.04 LTS|
|Target Version||Fixed in Version|
|Summary||0013500: MYSQL-DB PASSWORD LEAKED AFTER UPGRADE !!!|
|Description||We tried to upgrade ubuntu from trusty to xenial, but tine was not working after. Instead of showing the logon screen, the settings were dumped in json format, INCLUDING THE LOGON CREDENTIALS FOR THE MYSQL DATABASE. I've investigated access during this time and fortunatly there were none, except upgrade team.|
Since tine is usually accessible from the internet, THIS ISSUE IS A MAJOR SECURITY RISK AND BE SHOULD FIXED IMMEDIATELY!
|Tags||No tags attached.|
|i'm not sure if this is solvable in the application. maybe this has to be configured in the webserver. which settings are shown? can you give an example / screenshot?|
|an authenticated setup user has access access to DB credentials. this info is transferred via JSON in setup. It might be that the JSON was shown for some strange reason. But this is not a problem IMHO as long it only appears for authenticated setup users.|
We already dumped the snapshot and tried to upgrade a second time, so unfortunatly i have no screenshots.
The admin on this task connected to http://tine.example.com/tine20 using our public url from internal network. As a result the configuration was shown (I guess the content of config.inc.php), but there was no authentication before. He called the url immediately after the server was restarted.
He also observed a weird behavior in first while mysql was upgraded to newest version. Some tine20 tables were not updateable, he said. Maybe this caused the confusion of tine.
By the way, our second try was some kind of successful. Tine was responding and application have been updated too, but now no one is able to logon. We currently are investigating on this problem.
Found the problem and opened another issue in https://forge.tine20.org/view.php?id=13504.
For this issue we're going to restore to previsious snapshot and try to setup another installation to transfer tine.
|maybe we should switch (or allow to use optionally) to env variables for the db credentials - see https://dev.to/damienalexandre/what-you-need-to-know-about-environment-variables-with-php-d3c|
meanwhile we did a lot of migration tests and found a lot of problems, too, but unfortunatly we weren't able to reproduce this issue again (as well as we weren't able to achive any successful migration, too).
Maybe your intended solution might solve the problem, maybe it opens other problems, but regardless of them, i really wonder how it was possible that the json was shown in plain text as content of a page and not handled as the data part of the page. (Ajax failure?)
|Found another db-user/password leak in https://forge.tine20.org/view.php?id=13720|
|2017-09-29 11:46||estradis||New Issue|
|2017-09-29 11:54||pschuele||Assigned To||=> pschuele|
|2017-09-29 12:01||pschuele||Status||new => feedback|
|2017-09-29 12:01||pschuele||Note Added: 0020840|
|2017-09-29 12:28||cweiss||Note Added: 0020842|
|2017-09-29 13:13||estradis||Note Added: 0020844|
|2017-09-29 13:13||estradis||Status||feedback => assigned|
|2017-09-29 15:00||estradis||Note Added: 0020846|
|2017-10-22 01:30||lab-at-nohl||Relationship added||related to 0009346|
|2017-11-01 16:30||pschuele||Note Added: 0021062|
|2017-11-01 16:31||pschuele||Relationship added||related to 0013504|
|2017-11-01 16:32||pschuele||Priority||immediate => normal|
|2017-11-01 16:32||pschuele||Severity||block => major|
|2017-11-01 16:32||pschuele||Status||assigned => new|
|2017-11-03 10:26||pschuele||Assigned To||pschuele =>|
|2017-11-03 12:45||estradis||Note Added: 0021084|
|2018-01-23 09:37||estradis||Note Added: 0021352|