Maintainer of sysutils/froxlor, There is a security advisory relevant to the current version of Froxlor in the ports collection. Affects ===== - Froxlor 0.9.33.1 and earlier Fixed ==== - Froxlor 0.9.33.2 Summary ======== An unauthenticated remote attacker is able to get the database password via webaccess due to wrong file permissions of the /logs/ folder in froxlor version 0.9.33.1 and earlier. The plain SQL password and username may be stored in the /logs/sql-error.log file. This directory is publicly reachable under the default configuration/setup. Full Source Reference is available: http://seclists.org/oss-sec/2015/q3/238
Looking at this: https://forum.froxlor.org/index.php/topic/13054-important-bugfix-release-09332/ And a small quote for this... >>actually this fix is missing the removal of the compromised logfiles, otherwise it fixes future logging of passwords, but not the access to the logfile that has been compromised. >Sorry, as i was pushed to do a release it just got lost in the hurry...removing all .log files from the directory should do the job, alternatively just use the class.ConfigIO.php from Github (https://github.com/F...ss.ConfigIO.php) I believe we should factor into our VuXML or pkg-message that old logs may still contain their database password. I intend to research that a bit closer and provide a recommendation.
I second Jasons suggestion for adding a hint regarding the potential leakage of information in pre-0.9.33.2 log file entries, possibly including a hint for mitigating measures. The preferred measure is to remove log files containing pre-0.9.33.2 entries after backing them up for possible investigation. Additionally, access to the log file directory should be restricted -- this also is a, albeit rather weak, workaround for users not willing or unable to upgrade from their current version at this point in time. The announcement thread including hints for mitigating measures can be found here: https://forum.froxlor.org/index.php/topic/13054-important-bugfix-release-09332/ There was a rather inconvenient bug in 0.9.33.1, which is why I did not update the port for quite a while, waiting for a 0.9.33.2 release. Since 0.9.33.2 seems to have been rushed out of the door quite hastily, I'll need a few hours for testing, before submitting a patch. MfG CoCo
Created attachment 159831 [details] security/vuxml entry for froxlor < 0.9.33.2 Document Froxlor database password information disclosure vulnerability PR: 202262 Approved by: feld|delphij|pgollucci (mentor) Ok, so I based VuXML off the CVE request combined with the recommendation from the Froxlor forum to attempt to succinctly convey this in VuXML. I think a pkg-message entry may be prudent for folks that don't read the entries and just upgrade the port and call it done. We'll factor that in when we can update the port. Thanks for working on this by the way. Validation for our VuXML documentation: % make validate /bin/sh /usr/ports/security/vuxml/files/tidy.sh "/usr/ports/security/vuxml/files/tidy.xsl" "/usr/ports/security/vuxml/vuln.xml" > "/usr/ports/security/vuxml/vuln.xml.tidy" >>> Validating... /usr/local/bin/xmllint --valid --noout /usr/ports/security/vuxml/vuln.xml >>> Successful. Checking if tidy differs... ... seems okay Checking for space/tab... ... seems okay /usr/local/bin/python2.7 /usr/ports/security/vuxml/files/extra-validation.py /usr/ports/security/vuxml/vuln.xml % env PKG_DBDIR=/usr/ports/security/vuxml pkg audit froxlor-0.9.33.1 froxlor-0.9.33.1 is vulnerable: froxlor -- database password information leak CVE: CVE-2015-5959 WWW: https://vuxml.FreeBSD.org/freebsd/9ee72858-4159-11e5-93ad-002590263bf5.html 1 problem(s) in the installed packages found. % env PKG_DBDIR=/usr/ports/security/vuxml pkg audit froxlor-0.9.33.2 0 problem(s) in the installed packages found.
A commit references this bug: Author: junovitch Date: Thu Aug 13 02:07:34 UTC 2015 New revision: 394049 URL: https://svnweb.freebsd.org/changeset/ports/394049 Log: Document Froxlor database password information disclosure vulnerability PR: 202262 Security: CVE-2015-5959 Security: 9ee72858-4159-11e5-93ad-002590263bf5 Approved by: feld (mentor) Changes: head/security/vuxml/vuln.xml
Much appreciated, thank you. The change in behaviour I referred to as being a bug still remains, show stopping any update. I'm working on a feasible local fix, ignoring (valid) upstream concerns.
(In reply to Marco Steinbach from comment #5) What is the bug? Is this something we can work together on to patch locally or are you attempting to work with upstream to get this in a hotfix type release (i.e. 0.9.33.3)?
Created attachment 160120 [details] Update to 0.99.3.2, including minor changes - Update to 0.99.3.2 due to security issue - Minor option fixes (support Dovecot 2, use default Apache version) - Add security hint to pkg-message
Created attachment 160121 [details] Update to 0.99.3.2, including minor changes (with QA) - Remove commented #DOVECOT2_RUN_DEPENDS (we already have the active one underneath, do we need the clutter?) - Add apostrophe in pkg-message (froxlor's website) - Modernize pkg-plist: convert @dirrmtry -> @dir Portlint QA: % portlint -ac looks fine. Poudriere is in progress now.
Created attachment 160123 [details] Update to 0.99.3.2, including minor changes (with QA) (In reply to Jason Unovitch from comment #8) Actually regarding the @dir/@dirrmtry, per the porter's handbook "By default, directories created under PREFIX by a package installation are automatically removed." Everything is under the WWWDIR so remove the @dir's and align this closer to other ports that are similar. Also address NO_ARCH per Poudriere QA. While here change the YES -> yes to be consistent throughout the Makefile and consistent with what is more prevalent in ports and in the handbook. With revisions, # portlint -ac looks fine. Final log of the big changes for commit: sysutils/froxlor: security update 0.9.32_3 -> 0.9.33.2 - Update to 0.9.33.2 - Minor option and format fixes (support Dovecot 2, use default Apache version) - Add security hint to pkg-message - Add NO_ARCH - Drop @dirrmtry as all pkg-plist files are under PREFIX PR: 202262 Security: CVE-2015-5959 Security: 9ee72858-4159-11e5-93ad-002590263bf5 Approved by: feld|delphij|pgollucci (mentor) MFH: 2015Q3
(In reply to Jason Unovitch from comment #9) Forgot one thing, the submitted by. Updated commit message: sysutils/froxlor: security update 0.9.32_3 -> 0.9.33.2 - Update to 0.9.33.2 - Minor option and format fixes (support Dovecot 2, use default Apache version) - Add security hint to pkg-message - Add NO_ARCH - Drop @dirrmtry as all pkg-plist files are under PREFIX PR: 202262 Security: CVE-2015-5959 Security: 9ee72858-4159-11e5-93ad-002590263bf5 Submitted by: Marco Steinbach <coco@executive-computing.de> (maintainer) Approved by: feld|delphij|pgollucci (mentor) MFH: 2015Q3
Created attachment 160124 [details] Poudriere testport log from 10.1-RELEASE jail Poudriere testing done on all supported releases: 9.3-RELEASE-p21 amd64 9.3-RELEASE-p21 i386 10.1-RELEASE-p17 amd64 10.1-RELEASE-p17 i386 10.2-RELEASE amd64 10.2-RELEASE i386 11.0-CURRENT r286886 amd64 11.0-CURRENT r286888 i386
A commit references this bug: Author: junovitch Date: Thu Aug 20 15:54:15 UTC 2015 New revision: 394890 URL: https://svnweb.freebsd.org/changeset/ports/394890 Log: sysutils/froxlor: security update 0.9.32_3 -> 0.9.33.2 - Update to 0.9.33.2 - Minor option and format fixes (support Dovecot 2, use default Apache version) - Add security hint to pkg-message - Add NO_ARCH - Drop @dirrmtry as all pkg-plist files are under PREFIX PR: 202262 Security: CVE-2015-5959 Security: 9ee72858-4159-11e5-93ad-002590263bf5 Submitted by: Marco Steinbach <coco@executive-computing.de> (maintainer) Approved by: feld (mentor) MFH: 2015Q3 Changes: head/sysutils/froxlor/Makefile head/sysutils/froxlor/distinfo head/sysutils/froxlor/files/pkg-message.in head/sysutils/froxlor/pkg-plist
A commit references this bug: Author: junovitch Date: Thu Aug 20 15:56:05 UTC 2015 New revision: 394892 URL: https://svnweb.freebsd.org/changeset/ports/394892 Log: MFH: r394890 sysutils/froxlor: security update 0.9.32_3 -> 0.9.33.2 - Update to 0.9.33.2 - Minor option and format fixes (support Dovecot 2, use default Apache version) - Add security hint to pkg-message - Add NO_ARCH - Drop @dirrmtry as all pkg-plist files are under PREFIX PR: 202262 Security: CVE-2015-5959 Security: 9ee72858-4159-11e5-93ad-002590263bf5 Submitted by: Marco Steinbach <coco@executive-computing.de> (maintainer) Approved by: ports-secteam (feld), feld (mentor) Changes: _U branches/2015Q3/ branches/2015Q3/sysutils/froxlor/Makefile branches/2015Q3/sysutils/froxlor/distinfo branches/2015Q3/sysutils/froxlor/files/pkg-message.in branches/2015Q3/sysutils/froxlor/pkg-plist
Marco, Thanks for your work! The update has been committed.
Comment on attachment 160120 [details] Update to 0.99.3.2, including minor changes Tag original submission as obsolete for post close cleanup.