WriteFreely exposes database credentials though insecure file permissions

[Fay Stegerman <flx () obfusk net>]

Hi!

Reposting this [1] here with permission:

> Public disclosure of security vulnerability in @writefreely [2]:

> I reported this privately to the project maintainers back in October. There
> has been no further movement from them since I made my initial report, so I
> have decided to make this public so that #writefreely admins can properly
> secure their instances.

> Affects: Any Writefreely instance backed by a #mysql database running on any
> #linux-based platform (other platforms may be affected as well, I have not
> tested).

> Severity as assessed by CVSS v3: Critical (9.3)

> Summary:
> If you use the standard getting started
> instructions(https://writefreely.org/start) and set up to connect to a MySQL
> database with `writefreely config start`, the created config.ini file stores
> the complete database connection configuration, including host, username, and
> password in plain-text in a world-readable file.

> If Writefreely is being run on a shared machine, an attacker with access to
> that machine could use this to gain complete access to the underlying
> database, including user account passwords, private posts, and anything else
> stored by Writefreely, as well as potentially altering or deleting anything
> there.

> PoC:
> 1. Download Writefreely
> 2. Run setup with `writefreely config start`
> 3. Select a MySQL backend and provide a username and password
> 4. Finish setup
> 5. A publicly readable config.ini file is immediately created with all of the
> database credentials in it.

> Impact:
> Tested on Ubuntu 22.04. Probably true at least for all Linux builds. Any
> Writefreely instance running on a shared machine is potentially vulnerable to
> total database compromise.

> Attack vector: Local, an attacker would need console access to the machine
> running the Writefreely instance to gain access to it.
> Attack complexity: Low, they need only check for a readable config.ini file.
> Privileges required: None, the file is world-readable.
> User interaction: None
> Confidentiality: High, an attacker could gain complete access to the MySQL
> database, including contents of any private or unpublished posts.
> Integrity: High, an attacker could gain complete write access to he MySQL
> database and overwrite it with any information they'd like. Additionally, an
> administrator could be totally unaware of any compromise, as this access may
> not leave any traces of its presence.
> Availability: High, an attacker could completely erase or corrupt the backing
> database, bringing the server down, and completely destroying all contents
> that have not been backed up.

> Fix: Administrators of Writefreely instances backed by MySQL databases,
> particularly those on shared machines, should immediately check the
> permissions of their config.ini file and make it readable to the file owner
> only. This file contains sensitive information and should not be public.
> Additionally, any time they use Writefreely's console tools to change their
> server settings, they should recheck their config.ini's permissions, as
> Writefreely's automated tools can reset the file permissions.

- Fay

[1] https://raphus.social/@TV4Fun/113846757112643161
[2] https://github.com/writefreely/writefreely