From 51bcf17be8f5490968d10db9a1e29c63743e7c8d Mon Sep 17 00:00:00 2001
From: kazet <krzysztof.zajac@cert.pl>
Date: Thu, 11 Jul 2024 12:21:45 +0200
Subject: [PATCH] Better open database port messages (#1143)

---
 artemis/config.py                             |  2 +-
 .../template_nuclei_exposed_panel.jinja2      | 15 ++++++++++
 .../en_US/LC_MESSAGES/messages.po             | 15 ++++++++--
 .../pl_PL/LC_MESSAGES/messages.po             | 22 ++++++++++++--
 .../template_open_port_database.jinja2        | 11 ++++---
 .../en_US/LC_MESSAGES/messages.po             | 14 +++++----
 .../pl_PL/LC_MESSAGES/messages.po             | 29 ++++++++++++-------
 7 files changed, 82 insertions(+), 26 deletions(-)

diff --git a/artemis/config.py b/artemis/config.py
index 670a904f3..baafdcdaf 100644
--- a/artemis/config.py
+++ b/artemis/config.py
@@ -78,7 +78,7 @@ class Reporting:
         MIN_DAYS_BETWEEN_REMINDERS__SEVERITY_LOW: Annotated[
             int,
             "If a low-severity report has already been seen earlier - how much time needs to pass for a second report to be generated.",
-        ] = get_config("MIN_DAYS_BETWEEN_REMINDERS__SEVERITY_LOW", default=8 * 30, cast=int)
+        ] = get_config("MIN_DAYS_BETWEEN_REMINDERS__SEVERITY_LOW", default=18 * 30, cast=int)
 
         MIN_DAYS_BETWEEN_REMINDERS__SEVERITY_MEDIUM: Annotated[
             int,
diff --git a/artemis/reporting/modules/nuclei/template_nuclei_exposed_panel.jinja2 b/artemis/reporting/modules/nuclei/template_nuclei_exposed_panel.jinja2
index b02dbf1e8..8fa8deaf6 100644
--- a/artemis/reporting/modules/nuclei/template_nuclei_exposed_panel.jinja2
+++ b/artemis/reporting/modules/nuclei/template_nuclei_exposed_panel.jinja2
@@ -1,4 +1,6 @@
 {% if "nuclei_exposed_panel" in data.contains_type %}
+     {% set contains_db_admin = namespace(data=0) %}
+
     <li>{% trans %}The following addresses contain login panels, analytics services, management panels etc.:{% endtrans %}
         <ul>
             {% for report in data.reports %}
@@ -6,6 +8,9 @@
                     <li>
                         {{ report.target }}: {{ report.additional_data.description_translated }}
                         {{ report_meta(report) }}
+                        {% if 'phpmyadmin' in report.target.lower() or 'phpppgadmin' in report.target.lower() %}
+                            {% set contains_db_admin.data = 1 %}
+                        {% endif %}
                     </li>
                 {% endif %}
             {% endfor %}
@@ -17,6 +22,16 @@
                 recommend to have as few such publicly accessible services as possible.
             {% endtrans %}
         </p>
+        {% if contains_db_admin.data %}
+            <p>
+                {% trans trimmed %}
+                    A password leak may be caused by an accidentally exposed configuration file such as a backup of
+                    <tt>/wp-config.php</tt> or by a local file inclusion vulnerability. Such mistakes are
+                    frequent, and lack of publicly exposed database management panels makes it significantly
+                    harder to perform an attack.
+                {% endtrans %}
+            </p>
+        {% endif %}
         <p>
             {% trans trimmed %}
                 We recommend that such resources are only available in an internal network, using a VPN
diff --git a/artemis/reporting/modules/nuclei/translations/en_US/LC_MESSAGES/messages.po b/artemis/reporting/modules/nuclei/translations/en_US/LC_MESSAGES/messages.po
index e5915dd64..2c46b0423 100644
--- a/artemis/reporting/modules/nuclei/translations/en_US/LC_MESSAGES/messages.po
+++ b/artemis/reporting/modules/nuclei/translations/en_US/LC_MESSAGES/messages.po
@@ -1,10 +1,10 @@
-#: artemis/reporting/modules/nuclei/template_nuclei_exposed_panel.jinja2:2
+#: artemis/reporting/modules/nuclei/template_nuclei_exposed_panel.jinja2:4
 msgid ""
 "The following addresses contain login panels, analytics services, "
 "management panels etc.:"
 msgstr ""
 
-#: artemis/reporting/modules/nuclei/template_nuclei_exposed_panel.jinja2:14
+#: artemis/reporting/modules/nuclei/template_nuclei_exposed_panel.jinja2:19
 msgid ""
 "To decrease the probability of an attack (caused by an attacker using a "
 "leaked password, by one of the accounts having a weak password, or by "
@@ -12,7 +12,16 @@ msgid ""
 "publicly accessible services as possible."
 msgstr ""
 
-#: artemis/reporting/modules/nuclei/template_nuclei_exposed_panel.jinja2:21
+#: artemis/reporting/modules/nuclei/template_nuclei_exposed_panel.jinja2:27
+msgid ""
+"A password leak may be caused by an accidentally exposed configuration "
+"file such as a backup of <tt>/wp-config.php</tt> or by a local file "
+"inclusion vulnerability. Such mistakes are frequent, and lack of publicly"
+" exposed database management panels makes it significantly harder to "
+"perform an attack."
+msgstr ""
+
+#: artemis/reporting/modules/nuclei/template_nuclei_exposed_panel.jinja2:36
 msgid ""
 "We recommend that such resources are only available in an internal "
 "network, using a VPN or from a restricted set of IP addresses."
diff --git a/artemis/reporting/modules/nuclei/translations/pl_PL/LC_MESSAGES/messages.po b/artemis/reporting/modules/nuclei/translations/pl_PL/LC_MESSAGES/messages.po
index 3ee15cda0..9edc9bacf 100644
--- a/artemis/reporting/modules/nuclei/translations/pl_PL/LC_MESSAGES/messages.po
+++ b/artemis/reporting/modules/nuclei/translations/pl_PL/LC_MESSAGES/messages.po
@@ -1,4 +1,4 @@
-#: artemis/reporting/modules/nuclei/template_nuclei_exposed_panel.jinja2:2
+#: artemis/reporting/modules/nuclei/template_nuclei_exposed_panel.jinja2:4
 msgid ""
 "The following addresses contain login panels, analytics services, "
 "management panels etc.:"
@@ -6,7 +6,7 @@ msgstr ""
 "Poniższe adresy zawierają zasoby takie jak panele logowania, narzędzia "
 "analityczne, panele administracyjne itp.:"
 
-#: artemis/reporting/modules/nuclei/template_nuclei_exposed_panel.jinja2:14
+#: artemis/reporting/modules/nuclei/template_nuclei_exposed_panel.jinja2:19
 msgid ""
 "To decrease the probability of an attack (caused by an attacker using a "
 "leaked password, by one of the accounts having a weak password, or by "
@@ -18,7 +18,23 @@ msgstr ""
 "usłudze) rekomendujemy, aby jak najmniej takich zasobów było dostępnych "
 "publicznie."
 
-#: artemis/reporting/modules/nuclei/template_nuclei_exposed_panel.jinja2:21
+#: artemis/reporting/modules/nuclei/template_nuclei_exposed_panel.jinja2:27
+msgid ""
+"A password leak may be caused by an accidentally exposed configuration "
+"file such as a backup of <tt>/wp-config.php</tt> or by a local file "
+"inclusion vulnerability. Such mistakes are frequent, and lack of publicly"
+" exposed database management panels makes it significantly harder to "
+"perform an attack."
+msgstr ""
+"Do  wycieku hasła może dojść np. gdy kopia zapasowa pliku "
+"konfiguracyjnego takiego jak <tt>/wp.config.php</tt> zostanie przypadkowo"
+" upubliczniona, lub gdy zostanie wykorzystana podatność w aplikacji "
+"pozwalająca na odczyt plików. Z doświadczeń CERT Polska w obsłudze "
+"incydentów wynika, że takie błędy są częste, a brak publicznie dostępnego"
+" panelu zarządzania bazą danych znacząco utrudnia atakującym dalsze "
+"prowadzenie ataku."
+
+#: artemis/reporting/modules/nuclei/template_nuclei_exposed_panel.jinja2:36
 msgid ""
 "We recommend that such resources are only available in an internal "
 "network, using a VPN or from a restricted set of IP addresses."
diff --git a/artemis/reporting/modules/port_scanner/template_open_port_database.jinja2 b/artemis/reporting/modules/port_scanner/template_open_port_database.jinja2
index a2a7cf895..3b8e8e15d 100644
--- a/artemis/reporting/modules/port_scanner/template_open_port_database.jinja2
+++ b/artemis/reporting/modules/port_scanner/template_open_port_database.jinja2
@@ -12,10 +12,13 @@
         </ul>
         <p>
             {% trans trimmed %}
-                Databases shouldn't be publicly available - an attack is possible when the password
-                leaks (e.g. because of an exposed configuration file such as a backup of <tt>/wp-config.php</tt>).
-                The recommended configuration is to make the database
-                available to the application locally or using an internal network.
+                We do not recommend database ports to be publicly available - although they require correct username
+                and password to login, an attack is possible when the password leaks or is too simple.
+                A password leak may be caused e.g. by an accidentally exposed configuration file such as a backup of
+                <tt>/wp-config.php</tt> or by a local file inclusion vulnerability. Such mistakes are frequent, and lack of publicly exposed
+                database ports makes it significantly harder to perform an attack.
+
+                The recommended configuration is to make the database available to the application locally or using an internal network.
             {% endtrans %}
         </p>
     </li>
diff --git a/artemis/reporting/modules/port_scanner/translations/en_US/LC_MESSAGES/messages.po b/artemis/reporting/modules/port_scanner/translations/en_US/LC_MESSAGES/messages.po
index c2441733d..e964b014c 100644
--- a/artemis/reporting/modules/port_scanner/translations/en_US/LC_MESSAGES/messages.po
+++ b/artemis/reporting/modules/port_scanner/translations/en_US/LC_MESSAGES/messages.po
@@ -9,11 +9,15 @@ msgstr ""
 
 #: artemis/reporting/modules/port_scanner/template_open_port_database.jinja2:14
 msgid ""
-"Databases shouldn't be publicly available - an attack is possible when "
-"the password leaks (e.g. because of an exposed configuration file such as"
-" a backup of <tt>/wp-config.php</tt>). The recommended configuration is "
-"to make the database available to the application locally or using an "
-"internal network."
+"We do not recommend database ports to be publicly available - although "
+"they require correct username and password to login, an attack is "
+"possible when the password leaks or is too simple. A password leak may be"
+" caused e.g. by an accidentally exposed configuration file such as a "
+"backup of <tt>/wp-config.php</tt> or by a local file inclusion "
+"vulnerability. Such mistakes are frequent, and lack of publicly exposed "
+"database ports makes it significantly harder to perform an attack. The "
+"recommended configuration is to make the database available to the "
+"application locally or using an internal network."
 msgstr ""
 
 #: artemis/reporting/modules/port_scanner/template_open_port_remote_desktop.jinja2:2
diff --git a/artemis/reporting/modules/port_scanner/translations/pl_PL/LC_MESSAGES/messages.po b/artemis/reporting/modules/port_scanner/translations/pl_PL/LC_MESSAGES/messages.po
index c3eb45fcc..43edef840 100644
--- a/artemis/reporting/modules/port_scanner/translations/pl_PL/LC_MESSAGES/messages.po
+++ b/artemis/reporting/modules/port_scanner/translations/pl_PL/LC_MESSAGES/messages.po
@@ -9,17 +9,26 @@ msgstr "domena: "
 
 #: artemis/reporting/modules/port_scanner/template_open_port_database.jinja2:14
 msgid ""
-"Databases shouldn't be publicly available - an attack is possible when "
-"the password leaks (e.g. because of an exposed configuration file such as"
-" a backup of <tt>/wp-config.php</tt>). The recommended configuration is "
-"to make the database available to the application locally or using an "
-"internal network."
+"We do not recommend database ports to be publicly available - although "
+"they require correct username and password to login, an attack is "
+"possible when the password leaks or is too simple. A password leak may be"
+" caused e.g. by an accidentally exposed configuration file such as a "
+"backup of <tt>/wp-config.php</tt> or by a local file inclusion "
+"vulnerability. Such mistakes are frequent, and lack of publicly exposed "
+"database ports makes it significantly harder to perform an attack. The "
+"recommended configuration is to make the database available to the "
+"application locally or using an internal network."
 msgstr ""
-"Bazy danych nie powinny być publicznie dostępne - atak jest możliwy np. "
-"gdy hasło wycieknie (np. gdy kopia zapasowa pliku konfiguracyjnego "
-"takiego jak <tt>/wp.config.php</tt> zostanie przypadkowo upubliczniona). "
-"Zalecamy, aby baza danych była dostępna tylko lokalnie lub w sieci "
-"wewnętrznej."
+"Nie rekomendujemy, aby porty baz danych były publicznie dostępne - "
+"logowanie wymaga podania nazwy użytkownika i hasła, lecz atak jest "
+"możliwy gdy hasło wycieknie, lub jest zbyt małej złożoności. Do wycieku "
+"hasła może dojść np. gdy kopia zapasowa pliku konfiguracyjnego takiego "
+"jak <tt>/wp.config.php</tt> zostanie przypadkowo upubliczniona, lub gdy "
+"zostanie wykorzystana podatność w aplikacji pozwalająca na odczyt plików."
+" Z doświadczeń CERT Polska w obsłudze incydentów wynika, że takie błędy "
+"są częste, a brak publicznie dostępnego panelu zarządzania bazą danych "
+"znacząco utrudnia atakującym dalsze prowadzenie ataku. Zalecamy, aby baza"
+" danych była dostępna tylko lokalnie lub w sieci wewnętrznej."
 
 #: artemis/reporting/modules/port_scanner/template_open_port_remote_desktop.jinja2:2
 msgid "The following servers have remote desktop ports open:"