Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ensure database audit code attempts to use passwordless options before sending credentials #3999

Closed
YongBoLiu opened this issue Dec 10, 2020 · 0 comments
Labels
bug Undesired behaviour resolved A fixed issue
Milestone

Comments

@YongBoLiu
Copy link
Contributor

Describe the bug

A clear and concise description of what the bug is.

Falcon EDR detected: Do not transmit credentials in clear text over any network.

Others have the chance to get the password by: ps -ef, when run the cli/audit_database.php --load.

Steps to reproduce the behavior:

  1. Go to cacti/cli

  2. Check the code of audit_database.php.

exec('mysqldump -u' . $database_username . ' -p' . $database_password . ' ' . $database_default . ' table_columns table_indexes --extended-insert=FALSE > ' . $config['base_path'] . '/docs/audit_schema.sql');

To Reproduce

Expected behavior

A clear and concise description of what you expected to happen.

Screenshots

If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information)

  • OS: [e.g. iOS]
    Linux

  • Browser [e.g. chrome, safari]

  • Version [e.g. 22]

Smartphone (please complete the following information)

  • Device: [e.g. iPhone6]

  • OS: [e.g. iOS8.1]

  • Browser [e.g. stock browser, safari]

  • Version [e.g. 22]

Additional context

Add any other context about the problem here.
We can set the user and password in my.cnf or a file then use --defaults-extra-file option on mysqldump.
A simple way is try to mysqldump without user and password first, if failed then mysqldump with user and password. This can minimize the chance be caught by others. As it is a CLI, not called by web page, i think it's ok for security.

@YongBoLiu YongBoLiu added bug Undesired behaviour unverified Some days we don't have a clue labels Dec 10, 2020
YongBoLiu pushed a commit to YongBoLiu/cacti that referenced this issue Dec 10, 2020
@YongBoLiu YongBoLiu mentioned this issue Dec 10, 2020
YongBoLiu pushed a commit to YongBoLiu/cacti that referenced this issue Dec 24, 2020
YongBoLiu added a commit to YongBoLiu/cacti that referenced this issue Dec 26, 2020
TheWitness pushed a commit that referenced this issue Dec 30, 2020
* feature 3965, Add a value check if the input field is textbox in settings

* feature 3965, revert

* Fix #3999

* Refix issue #3999, wrap mysqldump into db_dump_data()

* Fix issue #3999, update the db_dump_data() to minimize password be caught.

Co-authored-by: yboliu <yboliu@oc8636837557.ibm.com>
@TheWitness TheWitness added SECURITY A security issue reported through CVE and removed unverified Some days we don't have a clue SECURITY A security issue reported through CVE labels Jan 1, 2021
@TheWitness TheWitness added this to the v1.2.17 milestone Jan 1, 2021
@TheWitness TheWitness added the resolved A fixed issue label Jan 1, 2021
@netniV netniV changed the title The chances of mysqldump with password should be minimized Ensure database audit code attempts to use passwordless options before sending credentials Jan 4, 2021
@github-actions github-actions bot locked and limited conversation to collaborators Apr 5, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
bug Undesired behaviour resolved A fixed issue
Projects
None yet
Development

No branches or pull requests

2 participants