Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
0013720: Found another db user/password leak #6786
Reported by estradis on 22 Jan 2018 13:17
Version: 2017.08.11 Community Edition
Additional to https://forge.tine20.org/view.php?id=13500 I found another information leak of the db user and its password. The plain text credentials were stored in /var/log/apache2/error.log, after I accidently misconfigured the name for tine20 database schema. (See additional information as well.)
Comment posted by mspahn on 13 Mar 2018 14:07
Btw. if you think you found a security related issue => https://github.com/tine20/Tine-2.0-Open-Source-Groupware-and-CRM#reporting-security-issues
Comment posted by estradis on 14 Mar 2018 08:58
As the password is shown in error.log, not in tine20.log (a file not expected to be related directly to tine), I'd say, YES, it is a security issue.
Comment posted by pschuele on 5 Apr 2018 16:23
i can't reproduce the problem. i only see this in the tine20.log:
b3bef -- none -- - 2018-04-05T16:22:23+00:00 ERR (3): Tinebase_Exception::logExceptionToLogger::133 Zend_Db_Adapter_Exception -> SQLSTATE[HY000]  Access denied for user 'myuser'@'localhost' to database 'tine20a'
Comment posted by estradis on 9 Apr 2018 07:34
Looks like the behavior has changed with the new version 2018.02.2.
Single log line (modified for better readability)
[Sat Apr 07 23:11:45.556332 2018] [:error] [pid 1513] [client 10.x.y.z:55574] PHP Fatal error:
The exception is now handled completly in tine20 and not like the first reported exception in zend framework. So I can't reproduce it any more. It's also interesting that you got an "Access denied" instead of an "Unknown database" error like in my example.
You also asked for php version and error settings.
Error settings in "/etc/php/7.0/apache2/php.ini"