CVE-2023-42387

An attacker can send a request to the `/tdsqlpcloud/index.php/api/install/get_db_info` endpoint. This endpoint is part of the TDSQL Chitu management platform and is accessible remotely. Upon receiving the request, the `get_db_info` function executes without any authentication, directly returning the database hostname, port, username, and password in plain text [ref_id=1]. This information can then be used by the attacker to log into the database.

The vulnerability resides in the `get_db_info` function within the `install.php` file of the TDSQL Chitu management platform. The advisory indicates that the `__construct` method of the `Install` class and the `get_db_info` function itself are the relevant code sections [ref_id=1].

The advisory suggests modifying the `__construct` method of the `Install` class by changing `parent::__construct(false)` to `parent::__construct(true)`. Additionally, the `get_db_info` function's visibility should be changed from `public` to `protect`. These changes likely enforce authentication and restrict access to the `get_db_info` function, preventing unauthorized disclosure of database credentials [ref_id=1].

1. Access the endpoint `http://tdsql-xxxxxxx.com/tdsqlpcloud/index.php/api/install/get_db_info`. 2. Obtain the plaintext database account password. 3. Log in to the database using the obtained credentials [ref_id=1].