New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

0013500: MYSQL-DB PASSWORD LEAKED AFTER UPGRADE !!! #6678

Closed
Gloirin opened this Issue Jun 9, 2018 · 9 comments

Comments

@Gloirin

Gloirin commented Jun 9, 2018

Reported by estradis on 29 Sep 2017 09:46

We tried to upgrade ubuntu from trusty to xenial, but tine was not working after. Instead of showing the logon screen, the settings were dumped in json format, INCLUDING THE LOGON CREDENTIALS FOR THE MYSQL DATABASE. I've investigated access during this time and fortunatly there were none, except upgrade team.

Since tine is usually accessible from the internet, THIS ISSUE IS A MAJOR SECURITY RISK AND BE SHOULD FIXED IMMEDIATELY!

@Gloirin

This comment has been minimized.

Show comment
Hide comment
@Gloirin

Gloirin commented Jun 10, 2018

Related to #4692

@Gloirin

This comment has been minimized.

Show comment
Hide comment
@Gloirin

Gloirin commented Jun 10, 2018

Related to #6680

@Gloirin

This comment has been minimized.

Show comment
Hide comment
@Gloirin

Gloirin Jun 11, 2018

Comment posted by pschuele on 29 Sep 2017 10:01

i'm not sure if this is solvable in the application. maybe this has to be configured in the webserver. which settings are shown? can you give an example / screenshot?

Gloirin commented Jun 11, 2018

Comment posted by pschuele on 29 Sep 2017 10:01

i'm not sure if this is solvable in the application. maybe this has to be configured in the webserver. which settings are shown? can you give an example / screenshot?

@Gloirin

This comment has been minimized.

Show comment
Hide comment
@Gloirin

Gloirin Jun 11, 2018

Comment posted by cweiss on 29 Sep 2017 10:28

an authenticated setup user has access access to DB credentials. this info is transferred via JSON in setup. It might be that the JSON was shown for some strange reason. But this is not a problem IMHO as long it only appears for authenticated setup users.

Gloirin commented Jun 11, 2018

Comment posted by cweiss on 29 Sep 2017 10:28

an authenticated setup user has access access to DB credentials. this info is transferred via JSON in setup. It might be that the JSON was shown for some strange reason. But this is not a problem IMHO as long it only appears for authenticated setup users.

@Gloirin

This comment has been minimized.

Show comment
Hide comment
@Gloirin

Gloirin Jun 11, 2018

Comment posted by estradis on 29 Sep 2017 11:13

@pschuele:
We already dumped the snapshot and tried to upgrade a second time, so unfortunatly i have no screenshots.

@cweiss:
The admin on this task connected to http://tine.example.com/tine20 using our public url from internal network. As a result the configuration was shown (I guess the content of config.inc.php), but there was no authentication before. He called the url immediately after the server was restarted.

He also observed a weird behavior in first while mysql was upgraded to newest version. Some tine20 tables were not updateable, he said. Maybe this caused the confusion of tine.

By the way, our second try was some kind of successful. Tine was responding and application have been updated too, but now no one is able to logon. We currently are investigating on this problem.

Gloirin commented Jun 11, 2018

Comment posted by estradis on 29 Sep 2017 11:13

@pschuele:
We already dumped the snapshot and tried to upgrade a second time, so unfortunatly i have no screenshots.

@cweiss:
The admin on this task connected to http://tine.example.com/tine20 using our public url from internal network. As a result the configuration was shown (I guess the content of config.inc.php), but there was no authentication before. He called the url immediately after the server was restarted.

He also observed a weird behavior in first while mysql was upgraded to newest version. Some tine20 tables were not updateable, he said. Maybe this caused the confusion of tine.

By the way, our second try was some kind of successful. Tine was responding and application have been updated too, but now no one is able to logon. We currently are investigating on this problem.

@Gloirin

This comment has been minimized.

Show comment
Hide comment
@Gloirin

Gloirin Jun 11, 2018

Comment posted by estradis on 29 Sep 2017 13:00

Found the problem and opened another issue in https://forge.tine20.org/view.php?id=13504.

For this issue we're going to restore to previsious snapshot and try to setup another installation to transfer tine.

Gloirin commented Jun 11, 2018

Comment posted by estradis on 29 Sep 2017 13:00

Found the problem and opened another issue in https://forge.tine20.org/view.php?id=13504.

For this issue we're going to restore to previsious snapshot and try to setup another installation to transfer tine.

@Gloirin

This comment has been minimized.

Show comment
Hide comment
@Gloirin

Gloirin Jun 11, 2018

Comment posted by pschuele on 1 Nov 2017 15:30

maybe we should switch (or allow to use optionally) to env variables for the db credentials - see https://dev.to/damienalexandre/what-you-need-to-know-about-environment-variables-with-php-d3c

Gloirin commented Jun 11, 2018

Comment posted by pschuele on 1 Nov 2017 15:30

maybe we should switch (or allow to use optionally) to env variables for the db credentials - see https://dev.to/damienalexandre/what-you-need-to-know-about-environment-variables-with-php-d3c

@Gloirin

This comment has been minimized.

Show comment
Hide comment
@Gloirin

Gloirin Jun 11, 2018

Comment posted by estradis on 3 Nov 2017 11:45

meanwhile we did a lot of migration tests and found a lot of problems, too, but unfortunatly we weren't able to reproduce this issue again (as well as we weren't able to achive any successful migration, too).

Maybe your intended solution might solve the problem, maybe it opens other problems, but regardless of them, i really wonder how it was possible that the json was shown in plain text as content of a page and not handled as the data part of the page. (Ajax failure?)

Gloirin commented Jun 11, 2018

Comment posted by estradis on 3 Nov 2017 11:45

meanwhile we did a lot of migration tests and found a lot of problems, too, but unfortunatly we weren't able to reproduce this issue again (as well as we weren't able to achive any successful migration, too).

Maybe your intended solution might solve the problem, maybe it opens other problems, but regardless of them, i really wonder how it was possible that the json was shown in plain text as content of a page and not handled as the data part of the page. (Ajax failure?)

@Gloirin

This comment has been minimized.

Show comment
Hide comment
@Gloirin

Gloirin Jun 11, 2018

Comment posted by estradis on 23 Jan 2018 08:37

Found another db-user/password leak in https://forge.tine20.org/view.php?id=13720

Gloirin commented Jun 11, 2018

Comment posted by estradis on 23 Jan 2018 08:37

Found another db-user/password leak in https://forge.tine20.org/view.php?id=13720

@pschuele pschuele self-assigned this Jul 11, 2018

@pschuele pschuele added this to To do in Tine 2.0 Development via automation Jul 11, 2018

@pschuele pschuele added this to the 207.11.11 milestone Jul 11, 2018

@pschuele pschuele moved this from To do to To be tested in Tine 2.0 Development Jul 11, 2018

@pschuele pschuele closed this in acc9129 Jul 19, 2018

Tine 2.0 Development automation moved this from To be tested to Done Jul 19, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment