oss-sec mailing list archives

Hi!

Reposting this [1] here with permission:

Public disclosure of security vulnerability in @writefreely [2]:

I reported this privately to the project maintainers back in October. There
has been no further movement from them since I made my initial report, so I
have decided to make this public so that #writefreely admins can properly
secure their instances.

Affects: Any Writefreely instance backed by a #mysql database running on any
#linux-based platform (other platforms may be affected as well, I have not
tested).

Severity as assessed by CVSS v3: Critical (9.3)

Summary:
If you use the standard getting started
instructions(https://writefreely.org/start) and set up to connect to a MySQL
database with `writefreely config start`, the created config.ini file stores
the complete database connection configuration, including host, username, and
password in plain-text in a world-readable file.

If Writefreely is being run on a shared machine, an attacker with access to
that machine could use this to gain complete access to the underlying
database, including user account passwords, private posts, and anything else
stored by Writefreely, as well as potentially altering or deleting anything
there.

PoC:
1. Download Writefreely
2. Run setup with `writefreely config start`
3. Select a MySQL backend and provide a username and password
4. Finish setup
5. A publicly readable config.ini file is immediately created with all of the
database credentials in it.

Impact:
Tested on Ubuntu 22.04. Probably true at least for all Linux builds. Any
Writefreely instance running on a shared machine is potentially vulnerable to
total database compromise.

Attack vector: Local, an attacker would need console access to the machine
running the Writefreely instance to gain access to it.
Attack complexity: Low, they need only check for a readable config.ini file.
Privileges required: None, the file is world-readable.
User interaction: None
Confidentiality: High, an attacker could gain complete access to the MySQL
database, including contents of any private or unpublished posts.
Integrity: High, an attacker could gain complete write access to he MySQL
database and overwrite it with any information they'd like. Additionally, an
administrator could be totally unaware of any compromise, as this access may
not leave any traces of its presence.
Availability: High, an attacker could completely erase or corrupt the backing
database, bringing the server down, and completely destroying all contents
that have not been backed up.

Fix: Administrators of Writefreely instances backed by MySQL databases,
particularly those on shared machines, should immediately check the
permissions of their config.ini file and make it readable to the file owner
only. This file contains sensitive information and should not be public.
Additionally, any time they use Writefreely's console tools to change their
server settings, they should recheck their config.ini's permissions, as
Writefreely's automated tools can reset the file permissions.

- Fay

[1] https://raphus.social/@TV4Fun/113846757112643161
[2] https://github.com/writefreely/writefreely

Current thread:

• WriteFreely exposes database credentials though insecure file permissions Fay Stegerman (Jan 18)