Package: phpgacl
Version: 3.3.7-7.2
Severity: grave
Tags: security
Justification: user security hole
User: debian...@lists.debian.org
Usertags: piuparts
Hi,
phpgacl creates the following directory upon installation:
drwxrwxrw- 2 root www-data 40 Jun 17 17:48
/usr/share/phpgacl/admin/templates_c
The postinst has the following code to do this:
# Ensure the templates_c directory needed by smarty is writable by www-data
if [ ! -x /usr/sbin/dpkg-statoverride ] || \
! dpkg-statoverride --list /usr/share/phpgacl/admin/templates_c > /dev/null
then
chown root:www-data /usr/share/phpgacl/admin/templates_c
chmod -R 776 /usr/share/phpgacl/admin/templates_c
fi
There is no indication why this is world writable.
0775 or 0770 should be sufficient.
Even if an ordinary local user cannot list the contents of the
directory, he may correctly derive/guess filenames (unless they are
exclusively $(mktemp)) and delete and replace files in there.
I don't know how phpgacl works, how it uses this directory, what
probelms could possibly arise out of this.
I just wrote the piuparts test for finding world writable directories :-)
Andreas
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
