WriteFreely MySQL Database Credential Exposure Vulnerability

A vulnerability in WriteFreely versions through 0.15.1 allows local users to access MySQL database credentials stored in plaintext within a world-readable config.ini file. This issue arises when WriteFreely is set up to use a MySQL database, following the standard installation instructions. The vulnerability is present on any Linux-based platform, and potentially others, affecting instances on shared hosting environments.

Impact

Exploitation of this vulnerability could lead to a complete compromise of the MySQL database. An attacker could access sensitive information such as user account passwords and private posts, and could also alter or delete database contents. This vulnerability could disrupt the WriteFreely instance by corrupting or erasing the database, causing a loss of all unbacked-up data.

Reproduction

To reproduce this vulnerability, download and install WriteFreely. During the setup process, select MySQL as the database backend and provide the necessary credentials. Once the setup is complete, a config.ini file will be created, containing the database connection details, including the password, in plaintext. This file's permissions will be set to allow public read access, exposing the sensitive information to any local user on the same machine.

Remediation

WriteFreely administrators should immediately restrict the permissions of the config.ini file to make it readable only by the file owner. After adjusting the permissions, it's important to monitor the file regularly, especially after using WriteFreely's console tools, which can inadvertently reset the file permissions to a more permissive state.