Hi! Reposting this [1] here with permission:
> Public disclosure of security vulnerability in @writefreely [2]: > I reported this privately to the project maintainers back in October. There > has been no further movement from them since I made my initial report, so I > have decided to make this public so that #writefreely admins can properly > secure their instances. > Affects: Any Writefreely instance backed by a #mysql database running on any > #linux-based platform (other platforms may be affected as well, I have not > tested). > Severity as assessed by CVSS v3: Critical (9.3) > Summary: > If you use the standard getting started > instructions(https://writefreely.org/start) and set up to connect to a MySQL > database with `writefreely config start`, the created config.ini file stores > the complete database connection configuration, including host, username, and > password in plain-text in a world-readable file. > If Writefreely is being run on a shared machine, an attacker with access to > that machine could use this to gain complete access to the underlying > database, including user account passwords, private posts, and anything else > stored by Writefreely, as well as potentially altering or deleting anything > there. > PoC: > 1. Download Writefreely > 2. Run setup with `writefreely config start` > 3. Select a MySQL backend and provide a username and password > 4. Finish setup > 5. A publicly readable config.ini file is immediately created with all of the > database credentials in it. > Impact: > Tested on Ubuntu 22.04. Probably true at least for all Linux builds. Any > Writefreely instance running on a shared machine is potentially vulnerable to > total database compromise. > Attack vector: Local, an attacker would need console access to the machine > running the Writefreely instance to gain access to it. > Attack complexity: Low, they need only check for a readable config.ini file. > Privileges required: None, the file is world-readable. > User interaction: None > Confidentiality: High, an attacker could gain complete access to the MySQL > database, including contents of any private or unpublished posts. > Integrity: High, an attacker could gain complete write access to he MySQL > database and overwrite it with any information they'd like. Additionally, an > administrator could be totally unaware of any compromise, as this access may > not leave any traces of its presence. > Availability: High, an attacker could completely erase or corrupt the backing > database, bringing the server down, and completely destroying all contents > that have not been backed up. > Fix: Administrators of Writefreely instances backed by MySQL databases, > particularly those on shared machines, should immediately check the > permissions of their config.ini file and make it readable to the file owner > only. This file contains sensitive information and should not be public. > Additionally, any time they use Writefreely's console tools to change their > server settings, they should recheck their config.ini's permissions, as > Writefreely's automated tools can reset the file permissions. - Fay [1] https://raphus.social/@TV4Fun/113846757112643161 [2] https://github.com/writefreely/writefreely
