Le lundi 13 juin 2005 à 13:57 -0400, Tim Peeler a écrit : > On Mon, Jun 13, 2005 at 03:03:17PM +0200, Jerome Warnier wrote: > > Le vendredi 10 juin 2005 ? 16:20 -0400, Tim Peeler a ?crit : > > > Could you double-check that version? Version 0.9.45-4 fixes this bug. > > I'm positively sure about the current version, though I think it was an > > upgrade from an older version. > > Could you tell me what it should look like with a fresh install? > > It's probably not fixing the permissions because you've already got your > settings.php and you haven't reconfigured. I think it's important > enough that I'm going to have the postinst fix permissions even w/o a > reconfigure. Yes, it would seem appropriate to me, thanks.
> Tim > > $ ls -l /etc/webcalendar > -rw-r--r-- 1 root root 430 2004-12-15 12:09 apache.conf > -rw-r--r-- 1 root root 461 2004-11-11 05:24 print_styles.css > -rw-r----- 1 root www-data 635 2005-06-10 16:10 settings.php > -rw-r--r-- 1 root root 774 2004-12-15 12:57 settings.php.tpl > -rw-r--r-- 1 root root 6701 2004-11-16 01:51 site_extras.php > -rw-r--r-- 1 root root 21879 2004-12-06 20:12 styles.php > -rw-r--r-- 1 root root 12133 2004-12-13 19:09 user-ldap.php > -rw-r--r-- 1 root root 11417 2004-11-16 10:35 user-nis.php > -rw-r--r-- 1 root root 11647 2004-11-24 19:41 user.php > > > > > > On Fri, Jun 10, 2005 at 11:54:35AM +0200, Jerome Warnier wrote: > > > > Package: webcalendar > > > > Version: 0.9.45-4 > > > > Severity: critical > > > > > > > > [EMAIL PROTECTED]:/etc/webcalendar$ ls -l /etc/webcalendar/ > > > > total 88 > > > > -rw-r--r-- 1 root root 487 May 18 18:39 apache.conf > > > > -rw-r--r-- 1 root root 461 Nov 11 2004 print_styles.css > > > > -rw-r--r-- 1 www-data www-data 378 Apr 25 11:52 settings.php > > > > -rw-r--r-- 1 root root 369 Apr 20 11:06 settings.php.old > > > > -rw-r--r-- 1 root root 774 Dec 28 23:22 settings.php.tpl > > > > -rw-r--r-- 1 root root 6701 Nov 16 2004 site_extras.php > > > > -rw-r--r-- 1 root root 21879 Dec 7 2004 styles.php > > > > -rw-r--r-- 1 root root 12133 Dec 14 01:09 user-ldap.php > > > > -rw-r--r-- 1 root root 11417 Nov 16 2004 user-nis.php > > > > -rw-r--r-- 1 root root 11647 Nov 25 2004 user.php > > > > > > > > > > > > All configuration files are world-readable. As settings.php includes a > > > > clear-text password and login to the database, this it highly unsecure, > > > > hence the severity critical. Wish I had seen this before Sarge's > > > > release. > > > > > > > > Thanks -- Jerome Warnier <[EMAIL PROTECTED]> BeezNest
