Page MenuHomePhabricator
Create Task
Maniphest T309004

World-readable database backup/dump with hashed user passwords in wdqs-tutorial tool
Closed, ResolvedPublicSecurity
Actions

Description

The wdqs-tutorial tool has a world-readable dbdump file:

lucaswerkmeister-wmde@tools-sgebastion-10:~$ ls -l ~tools.wdqs-tutorial/dbdump 
-rw-r--r-- 1 wmde-leszek tools.wdqs-tutorial 5820375 Jun 22  2020 /data/project/wdqs-tutorial/dbdump

It includes some user registrations, including email addresses and hashed passwords:

--
-- Table structure for table `wp9c_users`
--

DROP TABLE IF EXISTS `wp9c_users`;
/*!40101 SET @saved_cs_client     = @@character_set_client */;
/*!40101 SET character_set_client = utf8 */;
CREATE TABLE `wp9c_users` (
  `ID` bigint(20) unsigned NOT NULL AUTO_INCREMENT,
  `user_login` varchar(60) COLLATE utf8mb4_unicode_ci NOT NULL DEFAULT '',
  `user_pass` varchar(255) COLLATE utf8mb4_unicode_ci NOT NULL DEFAULT '',
  `user_nicename` varchar(50) COLLATE utf8mb4_unicode_ci NOT NULL DEFAULT '',
  `user_email` varchar(100) COLLATE utf8mb4_unicode_ci NOT NULL DEFAULT '',
  `user_url` varchar(100) COLLATE utf8mb4_unicode_ci NOT NULL DEFAULT '',
  `user_registered` datetime NOT NULL DEFAULT '0000-00-00 00:00:00',
  `user_activation_key` varchar(255) COLLATE utf8mb4_unicode_ci NOT NULL DEFAULT '',
  `user_status` int(11) NOT NULL DEFAULT '0',
  `display_name` varchar(250) COLLATE utf8mb4_unicode_ci NOT NULL DEFAULT '',
  PRIMARY KEY (`ID`),
  KEY `user_login_key` (`user_login`),
  KEY `user_nicename` (`user_nicename`),
  KEY `user_email` (`user_email`)
) ENGINE=InnoDB AUTO_INCREMENT=3 DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;
/*!40101 SET character_set_client = @saved_cs_client */;
INSERT INTO `wp9c_users` VALUES (1,'admin','$P$REDACTED','admin','REDACTED@gmail.com','','2019-10-14 14:37:11','',0,'admin'),(2,'testadmin','$P$REDACTED','testadmin','REDACTED@wikimedia.de','','2020-05-09 15:53:18','',0,'testadmin');

This file must be made readable only to the tool user and nobody else (or better yet, deleted entirely).

Details

Risk Rating
Low
Author Affiliation
Wikimedia Deutschland

Event Timeline

Lucas_Werkmeister_WMDE created this task.May 23 2022, 9:02 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 23 2022, 9:02 AM
Lucas_Werkmeister_WMDE added a project: Toolforge.May 23 2022, 9:02 AM
WMDE-leszek closed this task as Resolved.May 23 2022, 10:16 AM
WMDE-leszek claimed this task.

Thanks for catching this up. I've removed the file.
@Keren_-_WMIL this was the dump of your wordpress instance prior to moving it WMF Toolforge. It would have been hardly useful at this point, and having read on the other task that you have backup I am convinced you have a better sources of backup data in case you ever needed to move/recreate the tutorial site.

sbassett triaged this task as Low priority.May 24 2022, 5:44 PM
sbassett moved this task from Incoming to Our Part Is Done on the Security-Team board.
sbassett edited projects, added SecTeam-Processed, Vuln-Infoleak; removed Security-Team.
sbassett changed Author Affiliation from N/A to Wikimedia Deutschland.
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to Low.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits