Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mautic v4 app/console cache:clear in container leaves the new cache owned as root.. #236

Open
jcalfee opened this issue Dec 19, 2022 · 3 comments
Open

Mautic v4 app/console cache:clear in container leaves the new cache owned as root.. #236

jcalfee opened this issue Dec 19, 2022 · 3 comments

Comments

@jcalfee
Copy link

jcalfee commented Dec 19, 2022
edited by RCheesley

mautic/mautic#11826

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.
@jcalfee
Copy link
Author

jcalfee commented Dec 19, 2022

https://docs.mautic.org/en/troubleshooting

image

No Mautic user in the container?

# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin

@jcalfee
Copy link
Author

jcalfee commented Dec 19, 2022

A cross-site scripting (XSS) vulnerability in the assets component of Mautic before 3.2.4 allows remote attackers to inject executable JavaScript through the Referer header of asset downloads. CVE-2020-35124

Or, better yet make it a non-root container. Anyone have experience with Mautic as non-root here?

@gregismotion
Copy link

www-data is the mautic user.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jcalfee @gregismotion