In a twist of irony, GDPR.EU, an advice site for organizations that need to comply with the General Data Protection Regulation (GDPR) laws, has been exposing MySQL database settings (including passwords) for anyone on the internet, Pent Test Partners researchers discovered. While GDPR.EU is not an official EU commission site, it is partly funded by the EU and operated by Proton Technologies AG, the company behind end-to-end encrypted mail service ProtonMail.
The issue was related to the website’s .git folder being readable by anyone online. This is an old problem that has been around for years, the researchers said.
The team has been able to uncover the vulnerability using the DotGit browser plugin, which checks whether /.git/ is exposed on a web site.
Digging further, the researchers were able to clone the .git repository and view various WordPress pages associated with the website, including wp-config.php, which is one of the core WordPress files. It contains information about the database, including the name, host (typically localhost), username, and password.
This wp-config file contained MySQL database management settings (name, host, username and password).
“This is an internal system, so it wouldn’t be a trivial matter to compromise it externally unless the password is re-used elsewhere, but there could be other routes:
For example, “Authentication Unique Keys and Salts” are of concern, as these have been used in the past to forge administrative cookies, which could potentially be used to deface or compromise the site,” the researchers said.
The team contacted Proton Technologies over the issue and the company has fixed the bug four days later.