Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <Z4sSf6NqeLUBErxc@nihonium>
Date: Sat, 18 Jan 2025 03:31:27 +0100
From: Fay Stegerman <flx@...usk.net>
To: oss-security@...ts.openwall.com
Subject: WriteFreely exposes database credentials though insecure file
 permissions

Hi!

Reposting this [1] here with permission:

> Public disclosure of security vulnerability in @writefreely [2]:

> I reported this privately to the project maintainers back in October. There
> has been no further movement from them since I made my initial report, so I
> have decided to make this public so that #writefreely admins can properly
> secure their instances.

> Affects: Any Writefreely instance backed by a #mysql database running on any
> #linux-based platform (other platforms may be affected as well, I have not
> tested).

> Severity as assessed by CVSS v3: Critical (9.3)

> Summary:
> If you use the standard getting started
> instructions(https://writefreely.org/start) and set up to connect to a MySQL
> database with `writefreely config start`, the created config.ini file stores
> the complete database connection configuration, including host, username, and
> password in plain-text in a world-readable file.

> If Writefreely is being run on a shared machine, an attacker with access to
> that machine could use this to gain complete access to the underlying
> database, including user account passwords, private posts, and anything else
> stored by Writefreely, as well as potentially altering or deleting anything
> there.

> PoC:
> 1. Download Writefreely
> 2. Run setup with `writefreely config start`
> 3. Select a MySQL backend and provide a username and password
> 4. Finish setup
> 5. A publicly readable config.ini file is immediately created with all of the
> database credentials in it.

> Impact:
> Tested on Ubuntu 22.04. Probably true at least for all Linux builds. Any
> Writefreely instance running on a shared machine is potentially vulnerable to
> total database compromise.

> Attack vector: Local, an attacker would need console access to the machine
> running the Writefreely instance to gain access to it.
> Attack complexity: Low, they need only check for a readable config.ini file.
> Privileges required: None, the file is world-readable.
> User interaction: None
> Confidentiality: High, an attacker could gain complete access to the MySQL
> database, including contents of any private or unpublished posts.
> Integrity: High, an attacker could gain complete write access to he MySQL
> database and overwrite it with any information they'd like. Additionally, an
> administrator could be totally unaware of any compromise, as this access may
> not leave any traces of its presence.
> Availability: High, an attacker could completely erase or corrupt the backing
> database, bringing the server down, and completely destroying all contents
> that have not been backed up.

> Fix: Administrators of Writefreely instances backed by MySQL databases,
> particularly those on shared machines, should immediately check the
> permissions of their config.ini file and make it readable to the file owner
> only. This file contains sensitive information and should not be public.
> Additionally, any time they use Writefreely's console tools to change their
> server settings, they should recheck their config.ini's permissions, as
> Writefreely's automated tools can reset the file permissions.

- Fay

[1] https://raphus.social/@TV4Fun/113846757112643161
[2] https://github.com/writefreely/writefreely

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.