{ "schema_version": "1.4.0", "id": "GHSA-vrjr-p3xp-xx2x", "modified": "2024-12-06T18:22:52Z", "published": "2024-12-06T18:22:52Z", "aliases": [ "CVE-2024-54141" ], "summary": "phpMyFAQ Generates an Error Message Containing Sensitive Information if database server is not available", "details": "### Summary\nExposure of database (ie postgreSQL) server's credential when connection to DB fails.\n\n### Details\nExposed database credentials upon misconfig/DoS @ permalink: https://github.com/thorsten/phpMyFAQ/blob/main/phpmyfaq/src/phpMyFAQ/Setup/Installer.php#L694\n\n### PoC\nWhen postgreSQL server is unreachable, an error would be thrown exposing the credentials of the database. For instance, when \"http://:8080/setup/index.php\" is hit when the database instance/server is down, then credentials are exposed, for instance:\n\n```\n( ! ) Warning: pg_connect(): Unable to connect to PostgreSQL server: connection to server at "127.0.0.1", port 5432 failed: Connection refused Is the server running on that host and accepting TCP/IP connections? in /var/www/html/src/phpMyFAQ/Database/Pgsql.php on line 78\nCall Stack\n# Time Memory Function Location\n1 0.0404 453880 {main}( ) .../index.php:0\n2 1.1341 610016 phpMyFAQ\\Setup\\Installer->startInstall( $setup = ??? ) .../index.php:471\n3 1.2113 611544 phpMyFAQ\\Database\\Pgsql->connect( $host = '127.0.0.1', $user = 'cvecve', $password = '', $database = 'cvecve', $port = 5432 ) .../Installer.php:694\n4 1.2113 611864 pg_connect( $connection_string = 'host=127.0.0.1 port=5432 dbname=cvecve user=cvecve password=' ) .../Pgsql.php:78\n\n( ! ) Fatal error: Uncaught TypeError: Cannot assign false to property phpMyFAQ\\Database\\Pgsql::$conn of type ?PgSql\\Connection in /var/www/html/src/phpMyFAQ/Database/Pgsql.php on line 78\n( ! ) TypeError: Cannot assign false to property phpMyFAQ\\Database\\Pgsql::$conn of type ?PgSql\\Connection in /var/www/html/src/phpMyFAQ/Database/Pgsql.php on line 78\nCall Stack\n# Time Memory Function Location\n1 0.0404 453880 {main}( ) .../index.php:0\n2 1.1341 610016 phpMyFAQ\\Setup\\Installer->startInstall( $setup = ??? ) .../index.php:471\n3 1.2113 611544 phpMyFAQ\\Database\\Pgsql->connect( $host = '127.0.0.1', $user = 'cvecve', $password = '', $database = 'cvecve', $port = 5432 ) .../Installer.php:694\n```\n![image](https://github.com/user-attachments/assets/feb9c0ba-0cf7-44d1-bd86-87cc36292b70)\n\nA way to force this would be to perform a denial of service on the database instance/server. When the db connection is refused, the credentials would show. The remote attacker can then use that to gain full control on the database.\n\n### Impact\nThis vulnerability exposes the credentials of the database and grants a remote attacker full control over the database.\n\nFirst notified Snyk on 16 Jan 2024.\n", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L" }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:P" } ], "affected": [ { "package": { "ecosystem": "Packagist", "name": "thorsten/phpmyfaq" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "4.0.0" } ] } ] } ], "references": [ { "type": "WEB", "url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-vrjr-p3xp-xx2x" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-54141" }, { "type": "WEB", "url": "https://github.com/thorsten/phpMyFAQ/commit/b9289a0b2233df864361c131cd177b6715fbb0fe" }, { "type": "PACKAGE", "url": "https://github.com/thorsten/phpMyFAQ" } ], "database_specific": { "cwe_ids": [ "CWE-209" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2024-12-06T18:22:52Z", "nvd_published_at": "2024-12-06T15:15:09Z" } }