Name of the Vulnerable Software and Affected Versions Froxlor versions 2.1.9 and earlier

Description The issue concerns the exposure of MySQL database credentials due to incorrect file permissions. In affected Froxlor instances configured to use pure-ftpd, the XML templates set chmod 644 for /etc/pure-ftpd/db/mysql.conf, which contains sensitive information like <SQL UNPRIVILEGED PASSWORD>. As a result, all users with access to the system can read the file and obtain the credentials, potentially leading to unauthorized access to the froxlor MySQL database. This vulnerability can be exploited by any unprivileged user with command or code execution access to the system, including virtual users without SSH access who can upload PHP scripts or other CGIs. The access to the database can be further leveraged to obtain Froxlor admin privileges and subsequently root privileges.

Recommendations For Froxlor version 2.1.9, consider using passwordless unix socket authentication as a mitigation measure, which allows completely removing or omitting database passwords for database connections going through a unix socket. This approach is supported by current versions of MySQL, MariaDB, and Percona, and works even for use cases where the database user has a different name than the system account running the database client.