Bug#313644: zope2.7: Local security bug

Dmitry E. Oboukhov Tue, 14 Jun 2005 13:09:33 -0700

Package: zope2.7
Severity: grave
Justification: user security hole


uvw.ru:[/home/dimka]# umask
022

uvw.ru:[/home/dimka]# mkzope2.7instance
...
[skipped]
...
Directory: /tmp/testmkzope
...
[skipped]


uvw.ru:[/home/dimka]# ls -lR /tmp/testmkzope|grep inituser
-rw-r--r--  1 root root   40 2005-06-14 23:40 inituser
^^^^^^^^^^
     Problem:

uvw.ru:[/home/dimka]$ cat /tmp/testmkzope/inituser 
dimka:{SHA}QL0AFWMIX8NRZTKeof9cXsvbvu8=

wo-a-la!

all users readable
this file contain administrator password (hash)

I whrite small cgi-script and crack/hack site (zope) (theoretically ;))

PS: sorry my bad english!
~~~~~~~~~~~~~~~~~~~~~~~~~


-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.11-1-686
Locale: LANG=ru_RU.KOI8-R, LC_CTYPE=ru_RU.KOI8-R (charmap=KOI8-R)


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#313644: zope2.7: Local security bug

Reply via email to