Advisory: rConfig 3.9.3 Unauthenticated Sensitive Information Disclosure

Affected Vendor: rConfig
Affected Software: rConfig
Affected Version: Tested on version 3.9.3, possibly affecting earlier versions
Issue type: Incorrect Access Control
Release Date: 17 March 2020
Discovered by: Daniel Le Souef of Trustwave
CVE Identifier: CVE-2020–9425
Issue status: Fixed

Summary
— — — — — — — —
It is possible for an attacker to retrieve plaintext credentials from the ‘settings.php’ page whilst unauthenticated.

Description
— — — — — — — —
An authentication issue was discovered affecting rConfig versions before 3.9.4. Due to the application not ‘exiting’ after redirecting an unauthenticated user, the application continues to output the page contents alongside the redirect, in this case the application returns the ‘settings.php’ page which contains plaintext credentials alongside the redirect.
Impact

— — — — — — — —
An attacker is able to retrieve stored plaintext credentials whilst unauthenticated.

Proof of concept
— — — — — — — —
1. Run the following command:
‘curl -X GET https://<target>/settings.php | grep “defaultNode”’
2. Observe the values returned for the ‘defaultNodeUsername’ and ‘defaultNodePassword’.

Solution
— — — — — — — —
To remediate this vulnerability it is recommended that you upgrade to the latest version of rConfig (or any version > 3.9.3).
Otherwise you can add an ‘exit()’ after the redirection in ‘includes/head.inc.php’, replacing lines 14–16 with the following:
if (!$session->logged_in) {
header(“Location: “ . $config_basedir . “login.php”);
exit();
}

Response timeline
— — — — — — — —
12 February 2020 — Vendor Notified
14 February 2020 — Vendor Acknowledged
25 February 2020 — Vendor fix pushed to github
17 March 2020 — Advisory posted