osCommerce file

Hi Metabase Team!

We recently deployed MB 0.41.6 and a Greenbone scan came up with these vulnerabilities.

A scan was performed a few weeks ago and these vulnerabilities didn't show up. I'm not 100% sure, but I think we were on 0.41.5 then.

What is the file_manager.php used for? Or in other words: if we remove it temporarily, what would be the impact?

Any feedback would be much appreciated, thanks!

Hi @FWalder
First off, this is how security vulnerabilities in Metabase should be reported: https://github.com/metabase/metabase/security/policy

Second, that's a report of a vulnerability in somethings else you are using, not in Metabase, since Metabase is not a PHP application and Metabase does not use non-root location.
So you need to spend some time on finding the actual hole, since it sounds like it's coming from different software.

Thanks for the quick response @flamber! I found it confusing as well, but since they were able to deposit sth. in the metabase directory my path lead to you.

Anyway, I'll continue my search elsewhere :slight_smile:

@FWalder There's no "metabase directory". You are using a reverse-proxy, so there should not be a directory, since the location path is referencing a proxy backend server (in this case Metabase).

But since the report clearly says that the flaw in is osCommerce's file file_manager.php, then I would probably make sure you're up-to-date with that and any plugins. And even when you think you're up-to-date, then you would need to validate that none of the files has been tampered with.

I used to do Magento security many years ago and it takes a lot of skills to secure installations.

Thanks mate, I appreciate you spending so much time on this.

When I talked about the "metabase directory" I was referencing the vulnerability report.

This whole thing is very confusing as there is no such thing as osCommerce installed on the machine. I initially thought the vulnerability report was referencing a library that Metabase may have shared with osCommerce, but since there is no PHP in MB ...

Fun fact, there shouldn't be any PHP on that machine in any of the containers that run there.

Anyway, please forget about it and don't spend any more time on it.

Hi everyone, sorry to open up this conversation again.
We are experiencing the same issue with OpenVAS against Metabase v0.44.2.

In addition to the osCommerce Vulnerability another Vulnerability is reported: ClearBudget Invalid '.htaccess' Unauthorized Access Vulnerability

Neither of the software mentioned in the report are installed and this machine is used exclusively for Metabase.
Any hints on what might have solved this for you is much appreciated!

Metabase has absolutely no references to osCommerce or ClearBudget as Metabase has absolutely no PHP runtime (it's a Java runtime), so it's a buggy scanner you're using - use a proper scanner.
Latest release of Metabase is 0.45.1: https://github.com/metabase/metabase/releases/latest

Thank you for your quick response.

The issue turned out to be a combination of Metabase returning the login page for invalid paths and the scanner not checking the response content thoroughly enough.

Our "solution" is an exception for the scanner to not report those two specific vulnerabilities on this server.