Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
0013500: MYSQL-DB PASSWORD LEAKED AFTER UPGRADE !!! #6678
Reported by estradis on 29 Sep 2017 09:46
We tried to upgrade ubuntu from trusty to xenial, but tine was not working after. Instead of showing the logon screen, the settings were dumped in json format, INCLUDING THE LOGON CREDENTIALS FOR THE MYSQL DATABASE. I've investigated access during this time and fortunatly there were none, except upgrade team.
Since tine is usually accessible from the internet, THIS ISSUE IS A MAJOR SECURITY RISK AND BE SHOULD FIXED IMMEDIATELY!
referenced this issue
Jun 10, 2018
Comment posted by cweiss on 29 Sep 2017 10:28
an authenticated setup user has access access to DB credentials. this info is transferred via JSON in setup. It might be that the JSON was shown for some strange reason. But this is not a problem IMHO as long it only appears for authenticated setup users.
Comment posted by estradis on 29 Sep 2017 11:13
He also observed a weird behavior in first while mysql was upgraded to newest version. Some tine20 tables were not updateable, he said. Maybe this caused the confusion of tine.
By the way, our second try was some kind of successful. Tine was responding and application have been updated too, but now no one is able to logon. We currently are investigating on this problem.
Comment posted by pschuele on 1 Nov 2017 15:30
maybe we should switch (or allow to use optionally) to env variables for the db credentials - see https://dev.to/damienalexandre/what-you-need-to-know-about-environment-variables-with-php-d3c
Comment posted by estradis on 3 Nov 2017 11:45
meanwhile we did a lot of migration tests and found a lot of problems, too, but unfortunatly we weren't able to reproduce this issue again (as well as we weren't able to achive any successful migration, too).
Maybe your intended solution might solve the problem, maybe it opens other problems, but regardless of them, i really wonder how it was possible that the json was shown in plain text as content of a page and not handled as the data part of the page. (Ajax failure?)