View Issue Details

IDProjectCategoryView StatusLast Update
0013720Tine 2.0Otherpublic2018-04-12 16:23
ReporterestradisAssigned Topschuele 
PrioritylowSeveritymajorReproducibilityalways
Status resolvedResolutionfixed 
PlatformVMware Virtual MachineOSUbuntu LinuxOS Version16.04 LTS
Product Version2017.08.11 Community Edition 
Target VersionFixed in Version2018.02.3 Community Edition 
Summary0013720: Found another db user/password leak
DescriptionAdditional to https://forge.tine20.org/view.php?id=13500 I found another information leak of the db user and its password. The plain text credentials were stored in /var/log/apache2/error.log, after I accidently misconfigured the name for tine20 database schema. (See additional information as well.)

========================================================================
The logged information should contain a masked password, not the plain text password!
========================================================================

Although the logged file is 3rd Party, the problem is in tine because the 3rd party only throws the exception which seems to be catched into a global tine file. Unfortunatly I was not able to trace a full call stack, so I cannot say which file exactly.

Steps To Reproduce- Open /etc/apache2/sites-enabled/your-tine-site.conf
- Ensure that ErrorLog is configured (default: ${APACHE_LOG_DIR}/error.log)

- open config.ini.php
- change the parameter 'dbname' => 'tine20db' to a not existing name (in my case tine20db by typo)
- save the file (no need to restart/reload the webserver)
- open http://your.tine.server/tine20/setup.php

The request should lead to a white window without any source.

- Open now error.log and see the leaked credentials
Additional InformationSingle log line (modified for better readability)

[Mon Jan 22 12:18:54.290486 2018] [:error] [pid 5513] [client 10.x.y.z:27741] PHP Fatal error:
    Uncaught PDOException: SQLSTATE[HY000] [1049] Unknown database 'tine20dn'
        in /usr/share/tine20/vendor/zendframework/zendframework1/library/Zend/Db/Adapter/Pdo/Abstract.php:128
Stack trace:
0 /usr/share/tine20/vendor/zendframework/zendframework1/library/Zend/Db/Adapter/Pdo/Abstract.php(128): PDO->__construct('mysql:host=loca...', 'tine20connect', '[!!!MY_SECRET_DB_PASSWORD!!!]', Array)
1 /usr/share/tine20/vendor/zendframework/zendframework1/library/Zend/Db/Adapter/Pdo/Mysql.php(111): Zend_Db_Adapter_Pdo_Abstract->_connect()
2 /usr/share/tine20/Tinebase/Backend/Sql/Adapter/Pdo/Mysql.php(32): Zend_Db_Adapter_Pdo_Mysql->_connect()
3 /usr/share/tine20/vendor/zendframework/zendframework1/library/Zend/Db/Adapter/Abstract.php(460): Tinebase_Backend_Sql_Adapter_Pdo_Mysql->_connect()
4 /usr/share/tine20/vendor/zendframework/zendframework1/library/Zend/Db/Adapter/Pdo/Abstract.php(238): Zend_Db_Adapter_Abstract->query(Object(Zend_Db_Select), Array)
5 /usr/share/tine20/Tinebase/Backend/Sql/Abstract.php(769): Zend_Db_Adapter_Pdo_Abstract->query(Obj
    in /usr/share/tine20/vendor/zendframework/zendframework1/library/Zend/Db/Adapter/Pdo/Abstract.php on line 144
    
TagsNo tags attached.
mwticket

Relationships

related to 0013500 new MYSQL-DB PASSWORD LEAKED AFTER UPGRADE !!! 

Activities

mspahn

mspahn

2018-03-13 15:02

administrator   ~0021502

The password is not exposed to the frontend, therefore no leak. I'll leave this open in case someone wants to work on it. For it's a won't fix.
mspahn

mspahn

2018-03-13 15:07

administrator   ~0021504

Btw. if you think you found a security related issue => https://github.com/tine20/Tine-2.0-Open-Source-Groupware-and-CRM#reporting-security-issues
estradis

estradis

2018-03-14 09:58

reporter   ~0021510

As the password is shown in error.log, not in tine20.log (a file not expected to be related directly to tine), I'd say, YES, it is a security issue.

Why?
A lot of our customers and partners have separate departments for administrating and monitoring the logs. The complete login credentials might be available to the wrong persons. A scenario, that is often not in mind.
pschuele

pschuele

2018-04-05 18:23

administrator   ~0021592

i can't reproduce the problem. i only see this in the tine20.log:

b3bef -- none -- - 2018-04-05T16:22:23+00:00 ERR (3): Tinebase_Exception::logExceptionToLogger::133 Zend_Db_Adapter_Exception -> SQLSTATE[HY000] [1044] Access denied for user 'myuser'@'localhost' to database 'tine20a'
b3bef -- none -- - 2018-04-05T16:22:23+00:00 ERR (3): Tinebase_Exception::logExceptionToLogger::155 #0 .../vendor_2017.11-develop/zendframework/zendframework1/library/Zend/Db/Adapter/Pdo/Mysql.php(111): Zend_Db_Adapter_Pdo_Abstract->_connect()
#1 .../Tinebase/Backend/Sql/Adapter/Pdo/Mysql.php(32): Zend_Db_Adapter_Pdo_Mysql->_connect()
0000002 .../vendor_2017.11-develop/zendframework/zendframework1/library/Zend/Db/Adapter/Abstract.php(460): Tinebase_Backend_Sql_Adapter_Pdo_Mysql->_connect()
#3 .../vendor_2017.11-develop/zendframework/zendframework1/library/Zend/Db/Adapter/Pdo/Abstract.php(238): Zend_Db_Adapter_Abstract->query(Object(Zend_Db_Select), Array)
0000004 .../Tinebase/Backend/Sql/Abstract.php(772): Zend_Db_Adapter_Pdo_Abstract->query(Object(Zend_Db_Select))
#5 .../Tinebase/Backend/Sql/Abstract.php(551): Tinebase_Backend_Sql_Abstract->_fetch(Object(Zend_Db_Select), 'fetch_all')
pschuele

pschuele

2018-04-05 18:25

administrator   ~0021594

* which php version are you using?
* what are the relevant (error-logging) php.ini settings?
estradis

estradis

2018-04-09 09:34

reporter   ~0021608

Looks like the behavior has changed with the new version 2018.02.2.

Single log line (modified for better readability)

[Sat Apr 07 23:11:45.556332 2018] [:error] [pid 1513] [client 10.x.y.z:55574] PHP Fatal error:
    Uncaught Tinebase_Exception_Backend_Database: Connection failed: SQLSTATE[HY000] [1049] Unknown database 'tine20dN'
        in /var/www/tine20/Tinebase/Backend/Sql/Abstract.php:209
Stack trace:
#0 /var/www/tine20/Tinebase/Model/Filter/Id.php(95): Tinebase_Backend_Sql_Abstract->getSchema()
#1 /var/www/tine20/Tinebase/Model/Filter/Id.php(79): Tinebase_Model_Filter_Id->_getFieldType(Object(Tinebase_Backend_Sql))
0000002 /var/www/tine20/Tinebase/Backend/Sql/Filter/FilterGroup.php(46): Tinebase_Model_Filter_Id->appendFilterSql(Object(Tinebase_Backend_Sql_Filter_GroupSelect), Object(Tinebase_Backend_Sql))
#3 /var/www/tine20/Tinebase/Backend/Sql/Abstract.php(583): Tinebase_Backend_Sql_Filter_FilterGroup::appendFilters(Object(Zend_Db_Select), Object(Tinebase_Model_ConfigFilter), Object(Tinebase_Backend_Sql))
0000004 /var/www/tine20/Tinebase/Backend/Sql/Abstract.php(535): Tinebase_Backend_Sql_Abstract->_addFilter(Object(Zend_Db_Select), Object(Tinebase_Model_ConfigFilter))
#5 /var/www/tine20/Tinebase/Config/Abstract.php(594): Tinebase_ in /var/www/tine20/Tinebase/Backend/Sql/Abstract.php on line 209, referer: https://tine.example.com/tine20/

The exception is now handled completly in tine20 and not like the first reported exception in zend framework. So I can't reproduce it any more. It's also interesting that you got an "Access denied" instead of an "Unknown database" error like in my example.

You also asked for php version and error settings.
Here they are.
PHP=7.0 (installed by apt)

Error settings in "/etc/php/7.0/apache2/php.ini"
error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
display_errors = Off
display_startup_errors = Off
log_errors = On
log_errors_max_len = 1024
ignore_repeated_errors = Off
ignore_repeated_source = Off
report_memleaks = On
track_errors = Off
html_errors = On
pschuele

pschuele

2018-04-12 16:23

administrator   ~0021614

ok, thanks for the feedback. closing this issue.

Issue History

Date Modified Username Field Change
2018-01-22 14:17 estradis New Issue
2018-03-08 16:07 pschuele Relationship added related to 0013500
2018-03-08 16:07 pschuele Priority urgent => normal
2018-03-13 14:56 mspahn View Status public => private
2018-03-13 15:02 mspahn Note Added: 0021502
2018-03-13 15:03 mspahn Priority normal => low
2018-03-13 15:03 mspahn View Status private => public
2018-03-13 15:07 mspahn Note Added: 0021504
2018-03-14 09:58 estradis Note Added: 0021510
2018-04-05 18:23 pschuele Note Added: 0021592
2018-04-05 18:25 pschuele Note Added: 0021594
2018-04-05 18:25 pschuele Assigned To => pschuele
2018-04-05 18:25 pschuele Status new => feedback
2018-04-09 09:34 estradis Note Added: 0021608
2018-04-09 09:34 estradis Status feedback => assigned
2018-04-12 16:23 pschuele Note Added: 0021614
2018-04-12 16:23 pschuele Status assigned => resolved
2018-04-12 16:23 pschuele Resolution open => fixed
2018-04-12 16:23 pschuele Fixed in Version => 2018.02.3 Community Edition