GHSA-34qg-65m4-f23m: Froxlor: /etc/pure-ftpd/db/mysql.conf is chmod 644 but contains <SQL_UNPRIVILEGED_PASSWORD>

August 23, 2024

In Froxlor 2.1.9 and in the HEADs of the main, v2.2 and v2.1 branches , the XML templates in lib/configfiles/ set chmod 644 for /etc/pure-ftpd/db/mysql.conf, although that file contains <SQL_UNPRIVILEGED_PASSWORD>. At least on Debian 12, all parent directories of /etc/pure-ftpd/db/mysql.conf are world readable by default, thus exposing these credentials to all users with access to the system. Only Froxlor instances configured to use pure-ftpd are affected/vulnerable.

References

github.com/advisories/GHSA-34qg-65m4-f23m
github.com/froxlor/Froxlor
github.com/froxlor/Froxlor/blob/2.1.9/lib/configfiles/bookworm.xml
github.com/froxlor/Froxlor/commit/5d2ce4ecfb0e9c397ef5c73b107fb9a0e122e910
github.com/froxlor/Froxlor/security/advisories/GHSA-34qg-65m4-f23m

Code Behaviors & Features

Detect and mitigate GHSA-34qg-65m4-f23m with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →