Package: digitaldj Version: 0.6-7.1 Severity: important Tags: security -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
When a user runs ddj and sets (among other things) a username/password for database access, that information is stored in ~/.ddj, which is saved as mode 0644 (i.e. world/group readable). Mode 066 (readable/writeable only by owner) would be preferable; effects of this file being world-readable range from an attacker changing or deleting data from the database, to full database access (if the user is silly enough to use the same password for other things). Another, more minor, problem appears when ddj is started for the first time: it suggests that the default mysql root password is blank. While this is true, it might be a good idea to suggest putting in a real password if it is. .....Ron Murray - -- System Information Debian Release: testing/unstable Architecture: i386 Kernel: Linux khufu 2.4.19-xfs-khufu-6 #1 Tue Feb 18 20:31:57 EST 2003 i686 Locale: LANG=en_US, LC_CTYPE=en_US Versions of packages digitaldj depends on: ii amp 0.7.6-7 The Audio MPEG Player ii libc6 2.2.5-14.3 GNU C Library: Shared libraries an ii libglib1.2 1.2.10-6 The GLib library of C routines ii libgtk1.2 1.2.10-14 The GIMP Toolkit set of widgets fo ii libmysqlclient10 3.23.54a-1 mysql database client library ii mpg123 0.59r-13 MPEG layer 1/2/3 audio player ii mpg123-nas [mpg123] 0.59r-13 MPEG layer 1/2/3 audio player with ii mpg321 [mpg123] 0.2.10.1 A Free command-line mp3 player, co ii xlibs 4.2.1-3 X Window System client libraries -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.0 (GNU/Linux) iD8DBQE+W5/pitqjxNhsdN4RAk4xAJ9KMPgtbsF4CsNlrviqdLMpobFkmQCcDaU4 2j8Kq2VsYmOB4sQfpEiZ2wc= =cqZC -----END PGP SIGNATURE-----
