severity 312821 grave tags 312821 security thanks On Fri, Jun 10, 2005 at 11:54:35AM +0200, Jerome Warnier wrote: > Package: webcalendar > Version: 0.9.45-4 > Severity: critical
> [EMAIL PROTECTED]:/etc/webcalendar$ ls -l /etc/webcalendar/ > total 88 > -rw-r--r-- 1 root root 487 May 18 18:39 apache.conf > -rw-r--r-- 1 root root 461 Nov 11 2004 print_styles.css > -rw-r--r-- 1 www-data www-data 378 Apr 25 11:52 settings.php > -rw-r--r-- 1 root root 369 Apr 20 11:06 settings.php.old > -rw-r--r-- 1 root root 774 Dec 28 23:22 settings.php.tpl > -rw-r--r-- 1 root root 6701 Nov 16 2004 site_extras.php > -rw-r--r-- 1 root root 21879 Dec 7 2004 styles.php > -rw-r--r-- 1 root root 12133 Dec 14 01:09 user-ldap.php > -rw-r--r-- 1 root root 11417 Nov 16 2004 user-nis.php > -rw-r--r-- 1 root root 11647 Nov 25 2004 user.php > All configuration files are world-readable. As settings.php includes a > clear-text password and login to the database, this it highly unsecure, > hence the severity critical. Wish I had seen this before Sarge's > release. That would seem to be a user-level security hole, not a root-level security hole, so the proper severity would be "grave". And of course, the bug should be tagged "security". -- Steve Langasek postmodern programmer
signature.asc
Description: Digital signature
