FreeBSD : froxlor -- database password information leak (9ee72858-4159-11e5-93ad-002590263bf5)
Medium Nessus Plugin ID 85369
SynopsisThe remote FreeBSD host is missing a security-related update.
Description[email protected] reports :
An unauthenticated remote attacker is able to get the database password via webaccess due to wrong file permissions of the /logs/ folder in froxlor version 0.9.33.1 and earlier. The plain SQL password and username may be stored in the /logs/sql-error.log file. This directory is publicly reachable under the default configuration/setup.
Note that froxlor 0.9.33.2 prevents future logging of passwords but does not retroactively remove passwords already logged. Michael Kaufmann, the Froxlor lead developer reports :
Removing all .log files from the directory should do the job, alternatively just use the class.ConfigIO.php from Github
SolutionUpdate the affected package.