Froxlor Server Management Panel - MySQL Login Information Disclosure

vendor:

Froxlor Server Management Panel

by:

Dustin Dörr

7.5

CVSS

HIGH

Information Disclosure

200

CWE

Product Name: Froxlor Server Management Panel

Affected Version From: 0.9.33.1

Affected Version To: 0.9.33.1

Patch Exists: YES

Related CWE: N/A

CPE: a:froxlor:froxlor

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2015

Froxlor Server Management Panel – MySQL Login Information Disclosure

An unauthenticated remote attacker is able to get the Froxlor MySQL password and username via webaccess due to wrong file permissions of the /logs/ folder in Froxlor version 0.9.33.1 and earlier. The plain MySQL password and username may be stored in the /logs/sql-error.log file. This directory is publicly reachable by default.

Mitigation:

Ensure that the /logs/ folder is not publicly accessible and that the file permissions are set correctly.

Source

Exploit-DB raw data:

#------------------------------------------------------------------------------------------#
# Exploit Title: Froxlor Server Management Panel - MySQL Login Information Disclosure      #
# Date: Jul 30 2015                                                                        #
# Exploit Author: Dustin Dörr                                                              #
# Vendor Homepage: https://www.froxlor.org/                                                #
# Version: <= 0.9.33.1                                                                     #
#------------------------------------------------------------------------------------------#

An unauthenticated remote attacker is able to get the Froxlor MySQL password and username 
via webaccess due to wrong file permissions of the /logs/ folder in Froxlor version
0.9.33.1 and earlier. The plain MySQL password and username may be stored in the
/logs/sql-error.log file. This directory is publicly reachable by default.

some default URLs are:

- http://example.com/froxlor/logs/sql-error.log
- http://cp.example.com/logs/sql-error.log
- http://froxlor.example.com/logs/sql-error.log

the certain section looks like this:

/var/www/froxlor/lib/classes/database/class.Database.php(279):
PDO->__construct('mysql:host=127....', 'DATABASE_USER', 'DATABASE_PASSWORD', Array)

please note that the password in the logfile is truncated to 15 chars,
therefore passwords longer than 15 chars are not fully visible to an attacker.