View Issue Details

IDProjectCategoryView StatusLast Update
0013720Tine 2.0Otherpublic2018-01-22 14:17
ReporterestradisAssigned To 
PriorityurgentSeveritymajorReproducibilityalways
Status newResolutionopen 
PlatformVMware Virtual MachineOSUbuntu LinuxOS Version16.04 LTS
Product Version2017.08.11 Community Edition 
Target VersionFixed in Version 
Summary0013720: Found another db user/password leak
DescriptionAdditional to https://forge.tine20.org/view.php?id=13500 I found another information leak of the db user and its password. The plain text credentials were stored in /var/log/apache2/error.log, after I accidently misconfigured the name for tine20 database schema. (See additional information as well.)

========================================================================
The logged information should contain a masked password, not the plain text password!
========================================================================

Although the logged file is 3rd Party, the problem is in tine because the 3rd party only throws the exception which seems to be catched into a global tine file. Unfortunatly I was not able to trace a full call stack, so I cannot say which file exactly.

Steps To Reproduce- Open /etc/apache2/sites-enabled/your-tine-site.conf
- Ensure that ErrorLog is configured (default: ${APACHE_LOG_DIR}/error.log)

- open config.ini.php
- change the parameter 'dbname' => 'tine20db' to a not existing name (in my case tine20db by typo)
- save the file (no need to restart/reload the webserver)
- open http://your.tine.server/tine20/setup.php

The request should lead to a white window without any source.

- Open now error.log and see the leaked credentials
Additional InformationSingle log line (modified for better readability)

[Mon Jan 22 12:18:54.290486 2018] [:error] [pid 5513] [client 10.x.y.z:27741] PHP Fatal error:
    Uncaught PDOException: SQLSTATE[HY000] [1049] Unknown database 'tine20dn'
        in /usr/share/tine20/vendor/zendframework/zendframework1/library/Zend/Db/Adapter/Pdo/Abstract.php:128
Stack trace:
0 /usr/share/tine20/vendor/zendframework/zendframework1/library/Zend/Db/Adapter/Pdo/Abstract.php(128): PDO->__construct('mysql:host=loca...', 'tine20connect', '[!!!MY_SECRET_DB_PASSWORD!!!]', Array)
1 /usr/share/tine20/vendor/zendframework/zendframework1/library/Zend/Db/Adapter/Pdo/Mysql.php(111): Zend_Db_Adapter_Pdo_Abstract->_connect()
2 /usr/share/tine20/Tinebase/Backend/Sql/Adapter/Pdo/Mysql.php(32): Zend_Db_Adapter_Pdo_Mysql->_connect()
3 /usr/share/tine20/vendor/zendframework/zendframework1/library/Zend/Db/Adapter/Abstract.php(460): Tinebase_Backend_Sql_Adapter_Pdo_Mysql->_connect()
4 /usr/share/tine20/vendor/zendframework/zendframework1/library/Zend/Db/Adapter/Pdo/Abstract.php(238): Zend_Db_Adapter_Abstract->query(Object(Zend_Db_Select), Array)
5 /usr/share/tine20/Tinebase/Backend/Sql/Abstract.php(769): Zend_Db_Adapter_Pdo_Abstract->query(Obj
    in /usr/share/tine20/vendor/zendframework/zendframework1/library/Zend/Db/Adapter/Pdo/Abstract.php on line 144
    
TagsNo tags attached.
mwticket

Activities

There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2018-01-22 14:17 estradis New Issue