0013720: Found another db user/password leak #6786

Closed
Gloirin opened this Issue Jun 9, 2018 · 8 comments

Comments

Projects
None yet
1 participant
@Gloirin

Gloirin commented Jun 9, 2018

Reported by estradis on 22 Jan 2018 13:17

Version: 2017.08.11 Community Edition

Additional to https://forge.tine20.org/view.php?id=13500 I found another information leak of the db user and its password. The plain text credentials were stored in /var/log/apache2/error.log, after I accidently misconfigured the name for tine20 database schema. (See additional information as well.)

========================================================================
The logged information should contain a masked password, not the plain text password!

Although the logged file is 3rd Party, the problem is in tine because the 3rd party only throws the exception which seems to be catched into a global tine file. Unfortunatly I was not able to trace a full call stack, so I cannot say which file exactly.

Steps to reproduce: - Open /etc/apache2/sites-enabled/your-tine-site.conf

  • Ensure that ErrorLog is configured (default: ${APACHE_LOG_DIR}/error.log)

  • open config.ini.php

  • change the parameter 'dbname' => 'tine20db' to a not existing name (in my case tine20db by typo)

  • save the file (no need to restart/reload the webserver)

  • open http://your.tine.server/tine20/setup.php

The request should lead to a white window without any source.

  • Open now error.log and see the leaked credentials

Additional information: Single log line (modified for better readability)

[Mon Jan 22 12:18:54.290486 2018] [:error] [pid 5513] [client 10.x.y.z:27741] PHP Fatal error:
Uncaught PDOException: SQLSTATE[HY000] [1049] Unknown database 'tine20dn'
in /usr/share/tine20/vendor/zendframework/zendframework1/library/Zend/Db/Adapter/Pdo/Abstract.php:128
Stack trace:
0 /usr/share/tine20/vendor/zendframework/zendframework1/library/Zend/Db/Adapter/Pdo/Abstract.php(128): PDO->__construct('mysql:host=loca...', 'tine20connect', '[!!!MY_SECRET_DB_PASSWORD!!!]', Array)
1 /usr/share/tine20/vendor/zendframework/zendframework1/library/Zend/Db/Adapter/Pdo/Mysql.php(111): Zend_Db_Adapter_Pdo_Abstract->_connect()
2 /usr/share/tine20/Tinebase/Backend/Sql/Adapter/Pdo/Mysql.php(32): Zend_Db_Adapter_Pdo_Mysql->_connect()
3 /usr/share/tine20/vendor/zendframework/zendframework1/library/Zend/Db/Adapter/Abstract.php(460): Tinebase_Backend_Sql_Adapter_Pdo_Mysql->_connect()
4 /usr/share/tine20/vendor/zendframework/zendframework1/library/Zend/Db/Adapter/Pdo/Abstract.php(238): Zend_Db_Adapter_Abstract->query(Object(Zend_Db_Select), Array)
5 /usr/share/tine20/Tinebase/Backend/Sql/Abstract.php(769): Zend_Db_Adapter_Pdo_Abstract->query(Obj
in /usr/share/tine20/vendor/zendframework/zendframework1/library/Zend/Db/Adapter/Pdo/Abstract.php on line 144

@Gloirin Gloirin added this to the 2018.02.3 Community Edition milestone Jun 9, 2018

@Gloirin Gloirin self-assigned this Jun 9, 2018

@Gloirin Gloirin closed this Jun 9, 2018

@Gloirin

This comment has been minimized.

Show comment
Hide comment

Gloirin commented Jun 10, 2018

Related to #6678

@Gloirin

This comment has been minimized.

Show comment
Hide comment
@Gloirin

Gloirin Jun 11, 2018

Comment posted by mspahn on 13 Mar 2018 14:02

The password is not exposed to the frontend, therefore no leak. I'll leave this open in case someone wants to work on it. For it's a won't fix.

Gloirin commented Jun 11, 2018

Comment posted by mspahn on 13 Mar 2018 14:02

The password is not exposed to the frontend, therefore no leak. I'll leave this open in case someone wants to work on it. For it's a won't fix.

@Gloirin

This comment has been minimized.

Show comment
Hide comment
@Gloirin

Gloirin Jun 11, 2018

Comment posted by mspahn on 13 Mar 2018 14:07

Btw. if you think you found a security related issue => https://github.com/tine20/Tine-2.0-Open-Source-Groupware-and-CRM#reporting-security-issues

Gloirin commented Jun 11, 2018

Comment posted by mspahn on 13 Mar 2018 14:07

Btw. if you think you found a security related issue => https://github.com/tine20/Tine-2.0-Open-Source-Groupware-and-CRM#reporting-security-issues

@Gloirin

This comment has been minimized.

Show comment
Hide comment
@Gloirin

Gloirin Jun 11, 2018

Comment posted by estradis on 14 Mar 2018 08:58

As the password is shown in error.log, not in tine20.log (a file not expected to be related directly to tine), I'd say, YES, it is a security issue.

Why?
A lot of our customers and partners have separate departments for administrating and monitoring the logs. The complete login credentials might be available to the wrong persons. A scenario, that is often not in mind.

Gloirin commented Jun 11, 2018

Comment posted by estradis on 14 Mar 2018 08:58

As the password is shown in error.log, not in tine20.log (a file not expected to be related directly to tine), I'd say, YES, it is a security issue.

Why?
A lot of our customers and partners have separate departments for administrating and monitoring the logs. The complete login credentials might be available to the wrong persons. A scenario, that is often not in mind.

@Gloirin

This comment has been minimized.

Show comment
Hide comment
@Gloirin

Gloirin Jun 11, 2018

Comment posted by pschuele on 5 Apr 2018 16:23

i can't reproduce the problem. i only see this in the tine20.log:

b3bef -- none -- - 2018-04-05T16:22:23+00:00 ERR (3): Tinebase_Exception::logExceptionToLogger::133 Zend_Db_Adapter_Exception -> SQLSTATE[HY000] [1044] Access denied for user 'myuser'@'localhost' to database 'tine20a'
b3bef -- none -- - 2018-04-05T16:22:23+00:00 ERR (3): Tinebase_Exception::logExceptionToLogger::155 #0 .../vendor_2017.11-develop/zendframework/zendframework1/library/Zend/Db/Adapter/Pdo/Mysql.php(111): Zend_Db_Adapter_Pdo_Abstract->_connect()
#1 .../Tinebase/Backend/Sql/Adapter/Pdo/Mysql.php(32): Zend_Db_Adapter_Pdo_Mysql->_connect()
#2 .../vendor_2017.11-develop/zendframework/zendframework1/library/Zend/Db/Adapter/Abstract.php(460): Tinebase_Backend_Sql_Adapter_Pdo_Mysql->_connect()
#3 .../vendor_2017.11-develop/zendframework/zendframework1/library/Zend/Db/Adapter/Pdo/Abstract.php(238): Zend_Db_Adapter_Abstract->query(Object(Zend_Db_Select), Array)
#4 .../Tinebase/Backend/Sql/Abstract.php(772): Zend_Db_Adapter_Pdo_Abstract->query(Object(Zend_Db_Select))
#5 .../Tinebase/Backend/Sql/Abstract.php(551): Tinebase_Backend_Sql_Abstract->_fetch(Object(Zend_Db_Select), 'fetch_all')

Gloirin commented Jun 11, 2018

Comment posted by pschuele on 5 Apr 2018 16:23

i can't reproduce the problem. i only see this in the tine20.log:

b3bef -- none -- - 2018-04-05T16:22:23+00:00 ERR (3): Tinebase_Exception::logExceptionToLogger::133 Zend_Db_Adapter_Exception -> SQLSTATE[HY000] [1044] Access denied for user 'myuser'@'localhost' to database 'tine20a'
b3bef -- none -- - 2018-04-05T16:22:23+00:00 ERR (3): Tinebase_Exception::logExceptionToLogger::155 #0 .../vendor_2017.11-develop/zendframework/zendframework1/library/Zend/Db/Adapter/Pdo/Mysql.php(111): Zend_Db_Adapter_Pdo_Abstract->_connect()
#1 .../Tinebase/Backend/Sql/Adapter/Pdo/Mysql.php(32): Zend_Db_Adapter_Pdo_Mysql->_connect()
#2 .../vendor_2017.11-develop/zendframework/zendframework1/library/Zend/Db/Adapter/Abstract.php(460): Tinebase_Backend_Sql_Adapter_Pdo_Mysql->_connect()
#3 .../vendor_2017.11-develop/zendframework/zendframework1/library/Zend/Db/Adapter/Pdo/Abstract.php(238): Zend_Db_Adapter_Abstract->query(Object(Zend_Db_Select), Array)
#4 .../Tinebase/Backend/Sql/Abstract.php(772): Zend_Db_Adapter_Pdo_Abstract->query(Object(Zend_Db_Select))
#5 .../Tinebase/Backend/Sql/Abstract.php(551): Tinebase_Backend_Sql_Abstract->_fetch(Object(Zend_Db_Select), 'fetch_all')

@Gloirin

This comment has been minimized.

Show comment
Hide comment
@Gloirin

Gloirin Jun 11, 2018

Comment posted by pschuele on 5 Apr 2018 16:25

  • which php version are you using?
  • what are the relevant (error-logging) php.ini settings?

Gloirin commented Jun 11, 2018

Comment posted by pschuele on 5 Apr 2018 16:25

  • which php version are you using?
  • what are the relevant (error-logging) php.ini settings?
@Gloirin

This comment has been minimized.

Show comment
Hide comment
@Gloirin

Gloirin Jun 11, 2018

Comment posted by estradis on 9 Apr 2018 07:34

Looks like the behavior has changed with the new version 2018.02.2.

Single log line (modified for better readability)

[Sat Apr 07 23:11:45.556332 2018] [:error] [pid 1513] [client 10.x.y.z:55574] PHP Fatal error:
Uncaught Tinebase_Exception_Backend_Database: Connection failed: SQLSTATE[HY000] [1049] Unknown database 'tine20dN'
in /var/www/tine20/Tinebase/Backend/Sql/Abstract.php:209
Stack trace:
#0 /var/www/tine20/Tinebase/Model/Filter/Id.php(95): Tinebase_Backend_Sql_Abstract->getSchema()
#1 /var/www/tine20/Tinebase/Model/Filter/Id.php(79): Tinebase_Model_Filter_Id->_getFieldType(Object(Tinebase_Backend_Sql))
#2 /var/www/tine20/Tinebase/Backend/Sql/Filter/FilterGroup.php(46): Tinebase_Model_Filter_Id->appendFilterSql(Object(Tinebase_Backend_Sql_Filter_GroupSelect), Object(Tinebase_Backend_Sql))
#3 /var/www/tine20/Tinebase/Backend/Sql/Abstract.php(583): Tinebase_Backend_Sql_Filter_FilterGroup::appendFilters(Object(Zend_Db_Select), Object(Tinebase_Model_ConfigFilter), Object(Tinebase_Backend_Sql))
#4 /var/www/tine20/Tinebase/Backend/Sql/Abstract.php(535): Tinebase_Backend_Sql_Abstract->addFilter(Object(Zend_Db_Select), Object(Tinebase_Model_ConfigFilter))
#5 /var/www/tine20/Tinebase/Config/Abstract.php(594): Tinebase
in /var/www/tine20/Tinebase/Backend/Sql/Abstract.php on line 209, referer: https://tine.example.com/tine20/

The exception is now handled completly in tine20 and not like the first reported exception in zend framework. So I can't reproduce it any more. It's also interesting that you got an "Access denied" instead of an "Unknown database" error like in my example.

You also asked for php version and error settings.
Here they are.
PHP=7.0 (installed by apt)

Error settings in "/etc/php/7.0/apache2/php.ini"
error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
display_errors = Off
display_startup_errors = Off
log_errors = On
log_errors_max_len = 1024
ignore_repeated_errors = Off
ignore_repeated_source = Off
report_memleaks = On
track_errors = Off
html_errors = On

Gloirin commented Jun 11, 2018

Comment posted by estradis on 9 Apr 2018 07:34

Looks like the behavior has changed with the new version 2018.02.2.

Single log line (modified for better readability)

[Sat Apr 07 23:11:45.556332 2018] [:error] [pid 1513] [client 10.x.y.z:55574] PHP Fatal error:
Uncaught Tinebase_Exception_Backend_Database: Connection failed: SQLSTATE[HY000] [1049] Unknown database 'tine20dN'
in /var/www/tine20/Tinebase/Backend/Sql/Abstract.php:209
Stack trace:
#0 /var/www/tine20/Tinebase/Model/Filter/Id.php(95): Tinebase_Backend_Sql_Abstract->getSchema()
#1 /var/www/tine20/Tinebase/Model/Filter/Id.php(79): Tinebase_Model_Filter_Id->_getFieldType(Object(Tinebase_Backend_Sql))
#2 /var/www/tine20/Tinebase/Backend/Sql/Filter/FilterGroup.php(46): Tinebase_Model_Filter_Id->appendFilterSql(Object(Tinebase_Backend_Sql_Filter_GroupSelect), Object(Tinebase_Backend_Sql))
#3 /var/www/tine20/Tinebase/Backend/Sql/Abstract.php(583): Tinebase_Backend_Sql_Filter_FilterGroup::appendFilters(Object(Zend_Db_Select), Object(Tinebase_Model_ConfigFilter), Object(Tinebase_Backend_Sql))
#4 /var/www/tine20/Tinebase/Backend/Sql/Abstract.php(535): Tinebase_Backend_Sql_Abstract->addFilter(Object(Zend_Db_Select), Object(Tinebase_Model_ConfigFilter))
#5 /var/www/tine20/Tinebase/Config/Abstract.php(594): Tinebase
in /var/www/tine20/Tinebase/Backend/Sql/Abstract.php on line 209, referer: https://tine.example.com/tine20/

The exception is now handled completly in tine20 and not like the first reported exception in zend framework. So I can't reproduce it any more. It's also interesting that you got an "Access denied" instead of an "Unknown database" error like in my example.

You also asked for php version and error settings.
Here they are.
PHP=7.0 (installed by apt)

Error settings in "/etc/php/7.0/apache2/php.ini"
error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
display_errors = Off
display_startup_errors = Off
log_errors = On
log_errors_max_len = 1024
ignore_repeated_errors = Off
ignore_repeated_source = Off
report_memleaks = On
track_errors = Off
html_errors = On

@Gloirin

This comment has been minimized.

Show comment
Hide comment
@Gloirin

Gloirin Jun 11, 2018

Comment posted by pschuele on 12 Apr 2018 14:23

ok, thanks for the feedback. closing this issue.

Gloirin commented Jun 11, 2018

Comment posted by pschuele on 12 Apr 2018 14:23

ok, thanks for the feedback. closing this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment