View Issue Details

IDProjectCategoryView StatusLast Update
0013500Tine 2.0Setuppublic2017-11-03 12:45
ReporterestradisAssigned To 
PrioritynormalSeveritymajorReproducibilityhave not tried
Status newResolutionopen 
PlatformVMware Virtual MachineOSUbuntu LinuxOS Version16.04 LTS
Product Version 
Target VersionFixed in Version 
Summary0013500: MYSQL-DB PASSWORD LEAKED AFTER UPGRADE !!!
DescriptionWe tried to upgrade ubuntu from trusty to xenial, but tine was not working after. Instead of showing the logon screen, the settings were dumped in json format, INCLUDING THE LOGON CREDENTIALS FOR THE MYSQL DATABASE. I've investigated access during this time and fortunatly there were none, except upgrade team.

Since tine is usually accessible from the internet, THIS ISSUE IS A MAJOR SECURITY RISK AND BE SHOULD FIXED IMMEDIATELY!
TagsNo tags attached.
mwticket

Relationships

related to 0009346 resolvedpschuele Mysql-Password gets exposed 
related to 0013504 resolvedpschuele setup.php --restore -- db=1 bails out and leave database unusable 

Activities

pschuele

pschuele

2017-09-29 12:01

administrator   ~0020840

i'm not sure if this is solvable in the application. maybe this has to be configured in the webserver. which settings are shown? can you give an example / screenshot?
cweiss

cweiss

2017-09-29 12:28

administrator   ~0020842

an authenticated setup user has access access to DB credentials. this info is transferred via JSON in setup. It might be that the JSON was shown for some strange reason. But this is not a problem IMHO as long it only appears for authenticated setup users.
estradis

estradis

2017-09-29 13:13

reporter   ~0020844

@pschuele:
We already dumped the snapshot and tried to upgrade a second time, so unfortunatly i have no screenshots.

@cweiss:
The admin on this task connected to http://tine.example.com/tine20 using our public url from internal network. As a result the configuration was shown (I guess the content of config.inc.php), but there was no authentication before. He called the url immediately after the server was restarted.

He also observed a weird behavior in first while mysql was upgraded to newest version. Some tine20 tables were not updateable, he said. Maybe this caused the confusion of tine.

By the way, our second try was some kind of successful. Tine was responding and application have been updated too, but now no one is able to logon. We currently are investigating on this problem.
estradis

estradis

2017-09-29 15:00

reporter   ~0020846

Found the problem and opened another issue in https://forge.tine20.org/view.php?id=13504.

For this issue we're going to restore to previsious snapshot and try to setup another installation to transfer tine.
pschuele

pschuele

2017-11-01 16:30

administrator   ~0021062

maybe we should switch (or allow to use optionally) to env variables for the db credentials - see https://dev.to/damienalexandre/what-you-need-to-know-about-environment-variables-with-php-d3c
estradis

estradis

2017-11-03 12:45

reporter   ~0021084

meanwhile we did a lot of migration tests and found a lot of problems, too, but unfortunatly we weren't able to reproduce this issue again (as well as we weren't able to achive any successful migration, too).

Maybe your intended solution might solve the problem, maybe it opens other problems, but regardless of them, i really wonder how it was possible that the json was shown in plain text as content of a page and not handled as the data part of the page. (Ajax failure?)

Issue History

Date Modified Username Field Change
2017-09-29 11:46 estradis New Issue
2017-09-29 11:54 pschuele Assigned To => pschuele
2017-09-29 12:01 pschuele Status new => feedback
2017-09-29 12:01 pschuele Note Added: 0020840
2017-09-29 12:28 cweiss Note Added: 0020842
2017-09-29 13:13 estradis Note Added: 0020844
2017-09-29 13:13 estradis Status feedback => assigned
2017-09-29 15:00 estradis Note Added: 0020846
2017-10-22 01:30 lab-at-nohl Relationship added related to 0009346
2017-11-01 16:30 pschuele Note Added: 0021062
2017-11-01 16:31 pschuele Relationship added related to 0013504
2017-11-01 16:32 pschuele Priority immediate => normal
2017-11-01 16:32 pschuele Severity block => major
2017-11-01 16:32 pschuele Status assigned => new
2017-11-03 10:26 pschuele Assigned To pschuele =>
2017-11-03 12:45 estradis Note Added: 0021084