(Vanilla 2.2.1) SphinxSearch exposing full db config via analyticstick.json

jamesinc

Hi,

I've just noticed SphinxSearch appears to be writing to the JSON object in analyticstick.json. I don't understand much about that file, so not sure why that's happening. Given the serious nature of this, can someone else at least confirm if it's not just my forum that's doing it?

(the screenshot shows a sanitised version)

This file is available to all site visitors.

jamesinc

Edit: if this does turn out to be a security hole in SphinxSearch, needless to say disable the plugin and change your db password immediately.

x00

Is gives some information but it is is hardly a grand expose. There is no credential mentioned.

it probably should be restricted via permissions.

jamesinc

@x00 the unsanitised configuration exposes the entire config text via ConfText. That includes database username and password.

jamesinc

Here, here is a less sanitised example from a development copy I just spun up:

jamesinc

I did this with a fresh plugin install, following the steps specified by the plugin installer. I'm not sure that the ConfText needs to be held in conf/config.php once you've copied it to sphinx.conf on the server, but that's not really important. The plugin doesn't auto-delete it, it doesn't tell you to delete it, and it leads to disclosure of the db connection information, including username and password, to any visitor to the site.

jamesinc

And just in case this isn't abundantly clear at this point, this is the contents of that long string value:

####################################################################
 # This file is automatically generated by the SphinxSearch Plugin
 #
 # WARNING: YOUR DATABASE PASSWORD/USERNAME ARE CONTAINED IN THIS FILE!!!!
 #
 # -@author mcuhq
 ####################################################################


 #create an offset from the `vss_discussion`
 #notice this: 0 as title ...this is key to not select dups

 source vss_main_comment
 {
 type = mysql
 sql_host = localhost
 sql_user = (db user exposed!!!)
 sql_pass = (db pass exposed!!!)
 sql_db = (db name exposed!!!)
 sql_sock = /var/run/mysqld/mysqld.sock
 sql_port = 3306 #optional, default is 3306

(additional lines omitted)

Bleistivt

https://github.com/mcuhq/SphinxSearchPlugin/blob/master/class.sphinxsearch.plugin.php#L164

It adds its configuration to the controller data, so it is probably not only present in analyticstick.json but in every API response.

x00

I never had this parameter. I agree I'm not exactly sure why that ended up in config in the first place.

The exposure itself is unnecessary.

hgtonight

Looks like the settings are being set on every page to simplify passing data from the controller to the view. I am guessing this disclosure is unintentional.

I just checked my site that has sphinx running. The settings are below:

My conf text is not visible.

This plugin could use some tlc.

hgtonight

To immediately resolve this, remove the following setting from /conf/config.php:

$Configuration['Plugin']['SphinxSearch']['ConfText'] = '"...";

mcu_hq

@hgtonight said:
To immediately resolve this, remove the following setting from /conf/config.php:

$Configuration['Plugin']['SphinxSearch']['ConfText'] = '"...";

Yea, that should do it. Disabling Vanilla analytics will also solve the problem. I'm not sure why the analyticstick.json file is exposing variables like that - I wish I knew beforehand.

Looks like the settings are being set on every page to simplify passing data from the controller to the view. I am guessing this disclosure is unintentional

Yes, exactly right.

The config.php file was used as a convenience to save the sphinx config file so that it could be recalled/saved during installation. This avoided having to create a writable file and such. After the installation it isn't used (at least to my knowledge right now - it has been a while). What I'll do is delete the config string from config.php after the install wizard is closed.

Bleistivt

@mcu_hq said:
Yea, that should do it. Disabling Vanilla analytics will also solve the problem. I'm not sure why the analyticstick.json file is exposing variables like that - I wish I knew beforehand.

Everything set with setData() is exposed to the API. This should probably be documented somewhere, the PHPDoc doesn't make this very clear.

mcu_hq

@Bleistivt said:
Everything set with setData() is exposed to the API. This should probably be documented somewhere, the PHPDoc doesn't make this very clear.

Wow, yep never knew. Anyways I just put up a quick patch that deletes the config entry after the wizard install. For current users that already have it installed, open up your config.php file and delete the string entry for $Configuration['Plugin']['SphinxSearch']['ConfText']