| Titel | Agentejo Cockpit CMS 0.12.2 CWE-552: Files or Directories Accessible to External Parties |
|---|
| Beschreibung | Cockpit CMS v1 (agentejo/cockpit) stores config/config.yaml in the webroot directory by default. The .htaccess file shipped with the application uses the <Files> directive to block .yaml files, but <Files> is directory-scoped and does NOT apply to files in subdirectories. This allows unauthenticated access to /config/config.yaml via a direct HTTP request, exposing SMTP credentials, API keys, database connection strings, and application secrets. nginx deployments receive zero protection because .htaccess is Apache-only.
Root cause confirmed via source code audit:
- bootstrap.php: COCKPIT_CONFIG_PATH = COCKPIT_CONFIG_DIR.'/config.yaml'
- COCKPIT_CONFIG_DIR defaults to {webroot}/config/
- .htaccess <Files ~ "\.(yaml|yml)$"> is non-recursive, only protects root
- Config loaded via Spyc::YAMLLoad() — parses and returns YAML unauthenticated
- install/index.php warns about admin/admin password only, never mentions securing config/
178+ live instances confirmed vulnerable across 4+ countries and 3 hosting platforms. Exposed credentials include shared SMTP credentials (77 French auto dealerships on eveho.io), Google Maps API key (72 German museum/UNESCO World Heritage sites on droidhosting.de), AWS S3 full read/write/delete access (hybrid-x.de), and verified working SMTP (poststudio.bg).
The vulnerability was silently fixed in Cockpit CMS v2 (Cockpit-HQ/Cockpit, same vendor Agentejo) by switching from config.yaml to config.php which executes rather than leaks, and replacing the <Files> directive with a recursive RewriteRule. However, no security advisory or migration notice was ever issued for v1 users, leaving all existing deployments exposed. v1 has been unmaintained since 2021.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (7.5 HIGH)
Solution: Move config.yaml outside webroot and update COCKPIT_CONFIG_DIR. Apache workaround: RewriteRule ^config/ - [F,L]. nginx workaround: location ~ ^/config/ { deny all; return 403; }. Or migrate to v2.
References: https://github.com/agentejo/cockpit (vulnerable v1), https://github.com/Cockpit-HQ/Cockpit (v2, fixed). Credits: Nov (nov-1337). |
|---|
| Quelle | ⚠️ https://gist.github.com/nov-1337/3eb0a06c602ced9c3b11b675b53947da |
|---|
| Benutzer | nov_ (UID 84150) |
|---|
| Einreichung | 28.05.2026 18:23 (vor 1 Monat) |
|---|
| Moderieren | 28.06.2026 11:22 (1 month later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 374541 [agentejo Cockpit CMS bis 0.12.2 htaccess /config/config.yaml Spyc::YAMLLoad erweiterte Rechte] |
|---|
| Punkte | 20 |
|---|