Pandora FMS 754 - the hash of the database password available on the client-side
#pandorafms #hacking #hash #password #cve
Last Modified: 2021.07.09.
After I found the (CVE-2021-34074 in Pandora FMS 754, I was curious about the used hash in the File Manager, because it was in use during the file upload.
I found a strange vulnerability based on the source code. The hash of the database password with a "little modification" is visible on the client-side in the File Manager.
I do not see any reason why server-side critical information should be visible on the client-side. Probably originally it was a copy&paste error. This vulnerability was hidden for so long ... It was a surprise for me.
- 2021.05.26. – Vulnerability information sent to vendor
- 2021.05.26. - Feedback recieved from the vendor
- 2021.06.06. - Report update (script)
- 2021.06.25. - New CVE id: CVE-2021-34075
- 2021.06.25. - Report published.
- 2021.07.09. - Vendor Fixed it in Pandora FMS 755.
File Manager - Hash
Note: The File Manager is an admin feature.
Instead of the relative path, a hash is in use in the File Manager to reach the files and directories. The used hash is calculated on the server-side and it is visible on the client-side.
The following screenshots contain examples:
The following screenshot contains an example about the hash calculation in include/functions_filemanager.php:
The config.php contains the real database password:
The md5 hash calculated from a simple string from the relative path and from the db_password.
If an attacker could somehow physically see a monitor of an admin user e.g: in an office or an attacker can eavesdrop on network traffic, the hash and the path could become accessible. The browser history could also contain the information.
Since the source code is publicly available, the same algorithm can be used to generate password hashes offline. If the generated hash and the stored hash match, it is very likely that the password is correct.
I sent my recommendation to the vendor which was the following: During the install process, a random string can be generated. The generated string is a good alternative instead of the DB password and it is easy to implement.
- Sensitive Information available on the client side. (Hash of the db_password.)
- Weak md5 hash is in use.
I made an ugly python3 script just for demonstration. There are far better tools and ways to do the same:
© 2019-2021 Kamilló Matek All Rights Reserved