Summary

FOG Server 1.5.10.41.4 can leak authorized and rejected logins via logs stored directly on the root of the web server.

Details

FOG Server creates 2 logs on the root of the web server (fog_login_accepted.log and fog_login_failed.log), exposing the name of the user account used to manage FOG, the IP address of the computer used to login and the User-Agent.

PoC

• Install a fresh Debian 12.6.0 (Bookwork), and install FOG Server. (tested with https://gemmei.ftp.acc.umu.se/debian-cd/current/amd64/iso-cd/debian-12.6.0-amd64-netinst.iso)
• Wait for an administrator to login
• Access to the server via http://<FOG_IP>/fog/fog_login_accepted.log or http://<FOG_IP>/fog/fog_login_failed.log
  You should see this :

[08-02-24 5:23:48 pm] - 192.168.0.42 - Mozilla/5.0 (Windows NT 10.0; rv:113.0) Gecko/20100101 Firefox/113.0 - Login accepted - username: fog logged in
[08-02-24 5:24:50 pm] - 192.168.0.42 - Mozilla/5.0 (Windows NT 10.0; rv:113.0) Gecko/20100101 Firefox/113.0 - Login accepted - username: fog logged in

or

[08-02-24 5:24:27 pm] - 192.168.0.42 - Mozilla/5.0 (Windows NT 10.0; rv:113.0) Gecko/20100101 Firefox/113.0 - Login failed - username: admin failed to login
[08-02-24 5:24:38 pm] - 192.168.0.42 - Mozilla/5.0 (Windows NT 10.0; rv:113.0) Gecko/20100101 Firefox/113.0 - Login failed - username: demo failed to login

Impact

All administrators managing FOG Server

Fast patch :

#!/bin/bash
source /opt/fog/.fogsettings

if [[ -z "${docroot}${webroot}" ]]; then
	echo "Error: no FOG installation detected on this server."
	exit 1
fi
touch "${docroot}${webroot}fog_login_accepted.log"
touch "${docroot}${webroot}fog_login_failed.log"
chmod 0200 "${docroot}${webroot}fog_login_accepted.log"
chmod 0200 "${docroot}${webroot}fog_login_failed.log"
chown www-data:www-data "${docroot}${webroot}fog_login_accepted.log"
chown www-data:www-data "${docroot}${webroot}fog_login_failed.log"