Bug#444982: twiki: Potential security risk with default cfg{RCS}{WorkAreaDir}

Tue, 02 Oct 2007 11:45:36 -0700 

Package: twiki
Version: 4.1.2-1
Severity: normal

Hi.

Default config for cfg{RCS}{WorkAreaDir} is to use the PubDir/_work_areas/ as 
"work area" for plugins (see /var/www/twiki/pub/_work_areas/README).

However, this dir (/var/www/twiki/pub/_work_areas) potentialy exposes its 
content (as http://localhost/twiki/pub/_work_areas) on the web (it's only 
protected by a .htaccess, which may easily be inactive due to diabling of 
overrides in apache config).

This directory is supposed to be used by TWiki plugins to store tempfiles, etc. 
Exposing such files may constitute a security risk.

I think it may be wise to put such a work area in a dir like 
/var/lib/apache2/twiki which would be owned by www-data but not accessible from 
the web (by setting cfg{RCS}{WorkAreaDir} accordingly).

Hope this helps.


-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (500, 'testing'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.18-5-xen-686 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages twiki depends on:
ii  apache2.2-common           2.2.4-3       Next generation, scalable, extenda
ii  debconf [debconf-2.0]      1.5.14        Debian configuration management sy
pn  libalgorithm-diff-perl     <none>        (no description available)
pn  libcgi-session-perl        <none>        (no description available)
ii  libdigest-sha1-perl        2.11-2        NIST SHA-1 message digest algorith
pn  liberror-perl              <none>        (no description available)
ii  libhtml-parser-perl        3.56-1        A collection of modules that parse
pn  liblocale-maketext-lexicon <none>        (no description available)
pn  libtext-diff-perl          <none>        (no description available)
ii  liburi-perl                1.35.dfsg.1-1 Manipulates and accesses URI strin
ii  perl [libmime-base64-perl] 5.8.8-7       Larry Wall's Practical Extraction 
ii  perl-modules [libnet-perl] 5.8.8-7       Core Perl modules
ii  rcs                        5.7-20        The GNU Revision Control System

twiki recommends no packages.



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to