Bug 202262

Summary: sysutils/froxlor: database password information leak (CVE-2015-5959)
Product: Ports & Packages Reporter: Jason Unovitch <junovitch>
Component: Individual Port(s)Assignee: Jason Unovitch <junovitch>
Status: Closed FIXED    
Severity: Affects Some People CC: coco
Priority: --- Keywords: security
Version: LatestFlags: bugzilla: maintainer-feedback? (coco)
Hardware: Any   
OS: Any   
Attachments:
Description Flags
security/vuxml entry for froxlor < 0.9.33.2
none
Update to 0.99.3.2, including minor changes
none
Update to 0.99.3.2, including minor changes (with QA)
none
Update to 0.99.3.2, including minor changes (with QA)
none
Poudriere testport log from 10.1-RELEASE jail none

Description Jason Unovitch freebsd_committer freebsd_triage 2015-08-12 01:03:17 UTC 
Maintainer of sysutils/froxlor,
There is a security advisory relevant to the current version of Froxlor in the ports collection.


Affects
=====
- Froxlor 0.9.33.1 and earlier

Fixed
====
- Froxlor 0.9.33.2

Summary
========

An unauthenticated remote attacker is able to get the database password via webaccess due to wrong file permissions of the /logs/ folder in froxlor version 0.9.33.1 and earlier. The plain SQL password and username may be stored in the /logs/sql-error.log file. This directory is publicly reachable under the default configuration/setup.

Full Source Reference is available:
http://seclists.org/oss-sec/2015/q3/238
Comment 1 Jason Unovitch freebsd_committer freebsd_triage 2015-08-12 02:25:10 UTC 
Looking at this:
https://forum.froxlor.org/index.php/topic/13054-important-bugfix-release-09332/

And a small quote for this...
>>actually this fix is missing the removal of the compromised logfiles, otherwise it fixes future logging of passwords, but not the access to the logfile that has been compromised.
>Sorry, as i was pushed to do a release it just got lost in the hurry...removing all .log files from the directory should do the job, alternatively just use the class.ConfigIO.php from Github (https://github.com/F...ss.ConfigIO.php) 

I believe we should factor into our VuXML or pkg-message that old logs may still contain their database password.  I intend to research that a bit closer and provide a recommendation.
Comment 2 Marco Steinbach 2015-08-12 18:18:49 UTC 
I second Jasons suggestion for adding a hint regarding the potential leakage of information in pre-0.9.33.2 log file entries, possibly including a hint for mitigating measures.

The preferred measure is to remove log files containing pre-0.9.33.2 entries after backing them up for possible investigation.

Additionally, access to the log file directory should be restricted -- this also is a, albeit rather weak, workaround for users not willing or unable to upgrade from their current version at this point in time.

The announcement thread including hints for mitigating measures can be found here: https://forum.froxlor.org/index.php/topic/13054-important-bugfix-release-09332/


There was a rather inconvenient bug in 0.9.33.1, which is why I did not update the port for quite a while, waiting for a 0.9.33.2 release.


Since 0.9.33.2 seems to have been rushed out of the door quite hastily, I'll need a few hours for testing, before submitting a patch.

MfG CoCo
Comment 3 Jason Unovitch freebsd_committer freebsd_triage 2015-08-13 01:45:40 UTC 
Created attachment 159831 [details]
security/vuxml entry for froxlor < 0.9.33.2

Document Froxlor database password information disclosure vulnerability

PR:		202262
Approved by:	feld|delphij|pgollucci (mentor)


Ok, so I based VuXML off the CVE request combined with the recommendation from the Froxlor forum to attempt to succinctly convey this in VuXML.  I think a pkg-message entry may be prudent for folks that don't read the entries and just upgrade the port and call it done.  We'll factor that in when we can update the port.  Thanks for working on this by the way.

Validation for our VuXML documentation:
% make validate
/bin/sh /usr/ports/security/vuxml/files/tidy.sh "/usr/ports/security/vuxml/files/tidy.xsl" "/usr/ports/security/vuxml/vuln.xml" > "/usr/ports/security/vuxml/vuln.xml.tidy"
>>> Validating...
/usr/local/bin/xmllint --valid --noout /usr/ports/security/vuxml/vuln.xml
>>> Successful.
Checking if tidy differs...
... seems okay
Checking for space/tab...
... seems okay
/usr/local/bin/python2.7 /usr/ports/security/vuxml/files/extra-validation.py /usr/ports/security/vuxml/vuln.xml

% env PKG_DBDIR=/usr/ports/security/vuxml pkg audit froxlor-0.9.33.1
froxlor-0.9.33.1 is vulnerable:
froxlor -- database password information leak
CVE: CVE-2015-5959
WWW: https://vuxml.FreeBSD.org/freebsd/9ee72858-4159-11e5-93ad-002590263bf5.html

1 problem(s) in the installed packages found.

% env PKG_DBDIR=/usr/ports/security/vuxml pkg audit froxlor-0.9.33.2
0 problem(s) in the installed packages found.
Comment 4 commit-hook freebsd_committer freebsd_triage 2015-08-13 02:07:52 UTC 
A commit references this bug:

Author: junovitch
Date: Thu Aug 13 02:07:34 UTC 2015
New revision: 394049
URL: https://svnweb.freebsd.org/changeset/ports/394049

Log:
  Document Froxlor database password information disclosure vulnerability

  PR:		202262
  Security:	CVE-2015-5959
  Security:	9ee72858-4159-11e5-93ad-002590263bf5
  Approved by:	feld (mentor)

Changes:
  head/security/vuxml/vuln.xml
Comment 5 Marco Steinbach 2015-08-13 22:23:22 UTC 
Much appreciated, thank you.  The change in behaviour I referred to as being a bug still remains, show stopping any update. I'm working on a feasible local fix, ignoring (valid) upstream concerns.
Comment 6 Jason Unovitch freebsd_committer freebsd_triage 2015-08-15 12:55:45 UTC 
(In reply to Marco Steinbach from comment #5)
What is the bug?  Is this something we can work together on to patch locally or are you attempting to work with upstream to get this in a hotfix type release (i.e. 0.9.33.3)?
Comment 7 Marco Steinbach 2015-08-19 22:50:52 UTC 
Created attachment 160120 [details]
Update to 0.99.3.2, including minor changes

- Update to 0.99.3.2 due to security issue
- Minor option fixes (support Dovecot 2, use default Apache version)
- Add security hint to pkg-message
Comment 8 Jason Unovitch freebsd_committer freebsd_triage 2015-08-19 23:09:15 UTC 
Created attachment 160121 [details]
Update to 0.99.3.2, including minor changes (with QA)

- Remove commented #DOVECOT2_RUN_DEPENDS (we already have the active one underneath, do we need the clutter?)
- Add apostrophe in pkg-message (froxlor's website)
- Modernize pkg-plist: convert @dirrmtry -> @dir

Portlint QA:

% portlint -ac
looks fine.

Poudriere is in progress now.
Comment 9 Jason Unovitch freebsd_committer freebsd_triage 2015-08-20 01:35:03 UTC 
Created attachment 160123 [details]
Update to 0.99.3.2, including minor changes (with QA)

(In reply to Jason Unovitch from comment #8)
Actually regarding the @dir/@dirrmtry, per the porter's handbook "By default, directories created under PREFIX by a package installation are automatically removed."  Everything is under the WWWDIR so remove the @dir's and align this closer to other ports that are similar.

Also address NO_ARCH per Poudriere QA.  While here change the YES -> yes to be consistent throughout the Makefile and consistent with what is more prevalent in ports and in the handbook.

With revisions,
# portlint -ac
looks fine.

Final log of the big changes for commit:

sysutils/froxlor: security update 0.9.32_3 -> 0.9.33.2

- Update to 0.9.33.2
- Minor option and format fixes (support Dovecot 2, use default Apache version)
- Add security hint to pkg-message
- Add NO_ARCH
- Drop @dirrmtry as all pkg-plist files are under PREFIX

PR:		202262
Security:	CVE-2015-5959
Security:	9ee72858-4159-11e5-93ad-002590263bf5
Approved by:	feld|delphij|pgollucci (mentor)
MFH:		2015Q3
Comment 10 Jason Unovitch freebsd_committer freebsd_triage 2015-08-20 01:36:25 UTC 
(In reply to Jason Unovitch from comment #9)

Forgot one thing, the submitted by.  Updated commit message:

sysutils/froxlor: security update 0.9.32_3 -> 0.9.33.2

- Update to 0.9.33.2
- Minor option and format fixes (support Dovecot 2, use default Apache version)
- Add security hint to pkg-message
- Add NO_ARCH
- Drop @dirrmtry as all pkg-plist files are under PREFIX

PR:		202262
Security:	CVE-2015-5959
Security:	9ee72858-4159-11e5-93ad-002590263bf5
Submitted by:	Marco Steinbach <coco@executive-computing.de> (maintainer)
Approved by:	feld|delphij|pgollucci (mentor)
MFH:		2015Q3
Comment 11 Jason Unovitch freebsd_committer freebsd_triage 2015-08-20 01:38:17 UTC 
Created attachment 160124 [details]
Poudriere testport log from 10.1-RELEASE jail

Poudriere testing done on all supported releases:

9.3-RELEASE-p21      amd64
9.3-RELEASE-p21      i386
10.1-RELEASE-p17     amd64 
10.1-RELEASE-p17     i386
10.2-RELEASE         amd64
10.2-RELEASE         i386
11.0-CURRENT r286886 amd64
11.0-CURRENT r286888 i386
Comment 12 commit-hook freebsd_committer freebsd_triage 2015-08-20 15:54:45 UTC 
A commit references this bug:

Author: junovitch
Date: Thu Aug 20 15:54:15 UTC 2015
New revision: 394890
URL: https://svnweb.freebsd.org/changeset/ports/394890

Log:
  sysutils/froxlor: security update 0.9.32_3 -> 0.9.33.2

  - Update to 0.9.33.2
  - Minor option and format fixes (support Dovecot 2, use default Apache version)
  - Add security hint to pkg-message
  - Add NO_ARCH
  - Drop @dirrmtry as all pkg-plist files are under PREFIX

  PR:		202262
  Security:	CVE-2015-5959
  Security:	9ee72858-4159-11e5-93ad-002590263bf5
  Submitted by:	Marco Steinbach <coco@executive-computing.de> (maintainer)
  Approved by:	feld (mentor)
  MFH:		2015Q3

Changes:
  head/sysutils/froxlor/Makefile
  head/sysutils/froxlor/distinfo
  head/sysutils/froxlor/files/pkg-message.in
  head/sysutils/froxlor/pkg-plist
Comment 13 commit-hook freebsd_committer freebsd_triage 2015-08-20 15:56:47 UTC 
A commit references this bug:

Author: junovitch
Date: Thu Aug 20 15:56:05 UTC 2015
New revision: 394892
URL: https://svnweb.freebsd.org/changeset/ports/394892

Log:
  MFH: r394890

  sysutils/froxlor: security update 0.9.32_3 -> 0.9.33.2

  - Update to 0.9.33.2
  - Minor option and format fixes (support Dovecot 2, use default Apache version)
  - Add security hint to pkg-message
  - Add NO_ARCH
  - Drop @dirrmtry as all pkg-plist files are under PREFIX

  PR:		202262
  Security:	CVE-2015-5959
  Security:	9ee72858-4159-11e5-93ad-002590263bf5
  Submitted by:	Marco Steinbach <coco@executive-computing.de> (maintainer)
  Approved by:	ports-secteam (feld), feld (mentor)

Changes:
_U  branches/2015Q3/
  branches/2015Q3/sysutils/froxlor/Makefile
  branches/2015Q3/sysutils/froxlor/distinfo
  branches/2015Q3/sysutils/froxlor/files/pkg-message.in
  branches/2015Q3/sysutils/froxlor/pkg-plist
Comment 14 Jason Unovitch freebsd_committer freebsd_triage 2015-08-20 15:57:31 UTC 
Marco,
Thanks for your work! The update has been committed.
Comment 15 Jason Unovitch freebsd_committer freebsd_triage 2015-08-20 15:58:35 UTC 
Comment on attachment 160120 [details]
Update to 0.99.3.2, including minor changes

Tag original submission as obsolete for post close cleanup.