GHSA-34qg-65m4-f23m: Froxlor: /etc/pure-ftpd/db/mysql.conf is chmod 644 but contains <SQL_UNPRIVILEGED_PASSWORD>
In Froxlor 2.1.9 and in the HEADs of the main
, v2.2
and v2.1
branches , the XML templates in lib/configfiles/
set chmod 644
for /etc/pure-ftpd/db/mysql.conf
, although that file contains <SQL_UNPRIVILEGED_PASSWORD>
. At least on Debian 12, all parent directories of /etc/pure-ftpd/db/mysql.conf
are world readable by default, thus exposing these credentials to all users with access to the system. Only Froxlor instances configured to use pure-ftpd are affected/vulnerable.
References
Detect and mitigate GHSA-34qg-65m4-f23m with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →