froxlor -- database password information leak

ID 9EE72858-4159-11E5-93AD-002590263BF5
Type freebsd
Reporter FreeBSD
Modified 2015-07-29T00:00:00

Description reports:

An unauthenticated remote attacker is able to get the database password via webaccess due to wrong file permissions of the /logs/ folder in froxlor version and earlier. The plain SQL password and username may be stored in the /logs/sql-error.log file. This directory is publicly reachable under the default configuration/setup.

Note that froxlor prevents future logging of passwords but does not retroactively remove passwords already logged. Michael Kaufmann, the Froxlor lead developer reports:

Removing all .log files from the directory should do the job, alternatively just use the class.ConfigIO.php from Github