Could you double-check that version? Version 0.9.45-4 fixes this bug. On Fri, Jun 10, 2005 at 11:54:35AM +0200, Jerome Warnier wrote: > Package: webcalendar > Version: 0.9.45-4 > Severity: critical > > [EMAIL PROTECTED]:/etc/webcalendar$ ls -l /etc/webcalendar/ > total 88 > -rw-r--r-- 1 root root 487 May 18 18:39 apache.conf > -rw-r--r-- 1 root root 461 Nov 11 2004 print_styles.css > -rw-r--r-- 1 www-data www-data 378 Apr 25 11:52 settings.php > -rw-r--r-- 1 root root 369 Apr 20 11:06 settings.php.old > -rw-r--r-- 1 root root 774 Dec 28 23:22 settings.php.tpl > -rw-r--r-- 1 root root 6701 Nov 16 2004 site_extras.php > -rw-r--r-- 1 root root 21879 Dec 7 2004 styles.php > -rw-r--r-- 1 root root 12133 Dec 14 01:09 user-ldap.php > -rw-r--r-- 1 root root 11417 Nov 16 2004 user-nis.php > -rw-r--r-- 1 root root 11647 Nov 25 2004 user.php > > > All configuration files are world-readable. As settings.php includes a > clear-text password and login to the database, this it highly unsecure, > hence the severity critical. Wish I had seen this before Sarge's > release. > > Thanks > -- > Jerome Warnier <[EMAIL PROTECTED]> > BeezNest > >
-- Timothy Peeler <[EMAIL PROTECTED]> Senior Programmer, Systems Administrator LinuxForce Inc. (http://www.LinuxForce.net) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
