Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

(Vanilla 2.2.1) SphinxSearch exposing full db config via analyticstick.json

jamesincjamesinc Sydney ✭✭
edited June 2016 in Vanilla 2.0 - 2.8

Hi,

I've just noticed SphinxSearch appears to be writing to the JSON object in analyticstick.json. I don't understand much about that file, so not sure why that's happening. Given the serious nature of this, can someone else at least confirm if it's not just my forum that's doing it?

(the screenshot shows a sanitised version)

This file is available to all site visitors.

Comments

  • jamesincjamesinc Sydney ✭✭

    Edit: if this does turn out to be a security hole in SphinxSearch, needless to say disable the plugin and change your db password immediately.

  • Is gives some information but it is is hardly a grand expose. There is no credential mentioned.

    it probably should be restricted via permissions.

    grep is your friend.

  • jamesincjamesinc Sydney ✭✭

    @x00 the unsanitised configuration exposes the entire config text via ConfText. That includes database username and password.

  • jamesincjamesinc Sydney ✭✭

    Here, here is a less sanitised example from a development copy I just spun up:

  • jamesincjamesinc Sydney ✭✭

    I did this with a fresh plugin install, following the steps specified by the plugin installer. I'm not sure that the ConfText needs to be held in conf/config.php once you've copied it to sphinx.conf on the server, but that's not really important. The plugin doesn't auto-delete it, it doesn't tell you to delete it, and it leads to disclosure of the db connection information, including username and password, to any visitor to the site.

  • jamesincjamesinc Sydney ✭✭

    And just in case this isn't abundantly clear at this point, this is the contents of that long string value:

    ####################################################################
     # This file is automatically generated by the SphinxSearch Plugin
     #
     # WARNING: YOUR DATABASE PASSWORD/USERNAME ARE CONTAINED IN THIS FILE!!!!
     #
     # -@author mcuhq
     ####################################################################
    
    
     #create an offset from the `vss_discussion`
     #notice this: 0 as title ...this is key to not select dups
    
     source vss_main_comment
     {
     type = mysql
     sql_host = localhost
     sql_user = (db user exposed!!!)
     sql_pass = (db pass exposed!!!)
     sql_db = (db name exposed!!!)
     sql_sock = /var/run/mysqld/mysqld.sock
     sql_port = 3306 #optional, default is 3306
    

    (additional lines omitted)

  • BleistivtBleistivt Moderator

    https://github.com/mcuhq/SphinxSearchPlugin/blob/master/class.sphinxsearch.plugin.php#L164

    It adds its configuration to the controller data, so it is probably not only present in analyticstick.json but in every API response.

  • I never had this parameter. I agree I'm not exactly sure why that ended up in config in the first place.

    The exposure itself is unnecessary.

    grep is your friend.

  • hgtonighthgtonight ∞ · New Moderator

    Looks like the settings are being set on every page to simplify passing data from the controller to the view. I am guessing this disclosure is unintentional.

    I just checked my site that has sphinx running. The settings are below:

    My conf text is not visible.

    This plugin could use some tlc.

    Search first

    Check out the Documentation! We are always looking for new content and pull requests.

    Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.

  • hgtonighthgtonight ∞ · New Moderator

    To immediately resolve this, remove the following setting from /conf/config.php:

    $Configuration['Plugin']['SphinxSearch']['ConfText'] = '"...";

    Search first

    Check out the Documentation! We are always looking for new content and pull requests.

    Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.

  • mcu_hqmcu_hq yippie ki-yay ✭✭✭
    edited June 2016

    @hgtonight said:
    To immediately resolve this, remove the following setting from /conf/config.php:

    $Configuration['Plugin']['SphinxSearch']['ConfText'] = '"...";

    Yea, that should do it. Disabling Vanilla analytics will also solve the problem. I'm not sure why the analyticstick.json file is exposing variables like that - I wish I knew beforehand.

    Looks like the settings are being set on every page to simplify passing data from the controller to the view. I am guessing this disclosure is unintentional

    Yes, exactly right.

    The config.php file was used as a convenience to save the sphinx config file so that it could be recalled/saved during installation. This avoided having to create a writable file and such. After the installation it isn't used (at least to my knowledge right now - it has been a while). What I'll do is delete the config string from config.php after the install wizard is closed.

  • BleistivtBleistivt Moderator

    @mcu_hq said:
    Yea, that should do it. Disabling Vanilla analytics will also solve the problem. I'm not sure why the analyticstick.json file is exposing variables like that - I wish I knew beforehand.

    Everything set with setData() is exposed to the API. This should probably be documented somewhere, the PHPDoc doesn't make this very clear.

  • mcu_hqmcu_hq yippie ki-yay ✭✭✭

    @Bleistivt said:
    Everything set with setData() is exposed to the API. This should probably be documented somewhere, the PHPDoc doesn't make this very clear.

    Wow, yep never knew. Anyways I just put up a quick patch that deletes the config entry after the wizard install. For current users that already have it installed, open up your config.php file and delete the string entry for $Configuration['Plugin']['SphinxSearch']['ConfText']

Sign In or Register to comment.