Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20171029140036.53561667@pc1>
Date: Sun, 29 Oct 2017 14:00:36 +0100
From: Hanno Böck <hanno@...eck.de>
To: oss-security@...ts.openwall.com
Subject: Drupal backup_migrate information leak (was Fw: Database
 mishandling at defectivebydesign.org)

This comes down to a severe design flaw in how drupal handles private
files.

The doc for the module contains a warning, however it leads to a dead
link...
https://www.drupal.org/project/backup_migrate

Begin forwarded message:

Date: Fri, 27 Oct 2017 23:55:52 -0400
Subject: Database mishandling at defectivebydesign.org


Dear DefectiveByDesign.org supporter,

On Wednesday, October 25th, we received an email letting us know that
an old Drupal database backup file was publicly accessible on
defectivebydesign.org, a site operated by the Free Software
Foundation. This backup file contained contact information and other
details that should not have been public, submitted from 2007-2012.
You are receiving this message because the file included this email
address, possibly linked with other details listed below. We believe
it has been publicly accessible since 2012, though unadvertised, and
until recently, not indexed by search engines.

Within minutes of receiving the report, we removed the file and
started auditing defectivebydesign.org and the rest of our sites.

The file did not contain any passwords or password hashes, financial
information, mailing addresses, or information about users who
interacted with the site without ever logging in. While it is
certainly possible, we have seen no evidence that the file was
accessed by anyone other than the reporter and the search crawler, nor
republished anywhere else.

The file did include (from both real and spambot users' profiles):

  * ~28,000 email addresses;
  * user and contact names;
  * some IP addresses associated with comments on posts;
  * ~200 phone numbers;
  * some preferred language settings;
  * some information users shared about whether they participated in a
    particular campaign action (like a call-in), and
  * timestamps of users submitting data.

While some of this information was intended by users to be public,
some of it definitely was not.

I am deeply and personally sorry for this mistake. We know how
important your privacy is to you; we fight on your behalf every day
against restrictive and invasive technologies that threaten it.

We also don't believe in covering up our mistakes, so I wanted to let
you know as soon as possible that you were affected -- shortly after
we had finished our initial audit to make sure we understood the full
extent of the problem and fixed the most urgent issues.

Even though we are a small team, under pressure to move fast against
extremely large forces, this kind of mistake is absolutely
unacceptable. We have made many improvements in our security practices
since 2012, and in light of this failure will be taking a deeper look
at what else we need to do.

If you have any follow-up questions, please email us at
<sysadmin@....org>, and CC me at <johns@....org>.

On behalf of everyone here: We are sorry.

Thank you,  
John Sullivan  
Executive Director  

P.S. If you are a Drupal site administrator using the backup-migrate
module, make sure to check your configuration settings to ensure
backup files are private. In just a few minutes of searching, we found
others who are making the same mistake we did.

-- 
* Follow us at <https://status.fsf.org/fsf>. 
* Subscribe to our RSS feeds at <https://fsf.org/blogs/RSS>.
* Join us as an associate member at <https://www.fsf.org/jf>.

Sent from the Free Software Foundation,

51 Franklin St, Fifth Floor
Boston, Massachusetts 02110-1335
UNITED STATES



-- 
Hanno Böck
https://hboeck.de/

mail/jabber: hanno@...eck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.