Potential Database Connection String Exposure #323
Description
SEVERITY: CRITICAL
VULNERABILITY TYPE: Credential Disclosure (CWE-522)
LOCATION: Configuration file handling, error messages, logs
VULNERABLE SCENARIOS:
// VULNERABLE: Connection strings in plain text config files
// /etc/keystone/keystone.conf
[database]
connection = mysql://keystone:SecretPassword123@localhost/keystone
// VULNERABLE: Logging connection details
log::debug!("Connecting to database: {}", connection_string);
// VULNERABLE: Error messages exposing credentials
Err(format!("Failed to connect to {}", connection_string))ATTACK VECTOR:
- Read configuration files with insufficient permissions (chmod 644 instead of 600)
- Extract credentials from debug logs
- Capture error messages containing connection strings
- Read credentials from environment variable dumps
- Access container configuration or orchestration configs
IMPACT:
- Complete database access with stolen credentials
- Full data breach of all identity information (users, passwords, tokens)
- Ability to manipulate authentication and authorization data
- Backdoor creation through database modifications
- Lateral movement to database host
REMEDIATION:
use secrecy::{Secret, ExposeSecret};
// Load password from secure source
let db_password = Secret::new(
std::env::var("KEYSTONE_DB_PASSWORD_FILE")
.and_then(|path| std::fs::read_to_string(path))?
.trim()
.to_string()
);
// Or use secrets management
let db_password = Secret::new(
vault_client.get_secret("keystone/db/password")?
);
// Sanitize error messages
match DatabaseConnection::connect(&build_connection_string(&db_password)).await {
Ok(conn) => conn,
Err(e) => {
log::error!("Database connection failed: {}", e); // Full details in logs
return Err("Database connection failed".into()) // Generic to user
}
}
// Ensure config file permissions
// chmod 600 /etc/keystone/keystone.conf
// chown keystone:keystone /etc/keystone/keystone.conf