Source: debci Version: 2.12.2 Severity: normal User: de...@kali.org Usertags: origin-kali
When using sqlite storage, the debci.sqlite3 file is exposed in https://<fqdn>/data, just by virtue of the this file being stored by default in data/. Since it can contain private tokens (even though they're hashed), this requires adding an extra nginx/apache rule to prevent serving this file. I am not sure about the proper resolution for this: should it simply be documented? Should the DB file live elsewhere by default? -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.4.0-4-amd64 (SMP w/36 CPU cores) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled