Bug#564561: Security issue: MySQL root password stored in /etc/gallery2/config.php

Sun, 10 Jan 2010 00:50:51 -0800 

Package: gallery2
Version: 2.3-1
Severity: normal

When configuring the gallery2 package, it asks for a
"Database admin user account capable of creating new databases."
In other debian packages that use MySQL, the install scripts creates a new
database and a new MySQL user with write access to that database. The
gallery package however stores the admin user and password typed in during
configuration in /etc/gallery2/config.php. This is not expected and not
wanted. Since this file is owned by www-data, a minor bug in any php
script can cause the MySQL root password to be revealed.

This might be related to bug #328778

-- System Information:
Debian Release: 5.0.3
  APT prefers stable
  APT policy: (990, 'stable'), (400, 'testing'), (300, 'experimental'), (300, 
'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.31.6-Soleus64 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash

Versions of packages gallery2 depends on:
ii  apache2         2.2.9-10+lenny6          Apache HTTP Server metapackage
ii  apache2-mpm-pre 2.2.14-3                 Apache HTTP Server - traditional n
ii  debconf [debcon 1.5.24                   Debian configuration management sy
ii  imagemagick     7:6.3.7.9.dfsg2-1~lenny3 image manipulation programs
ii  libapache2-mod- 5.2.11.dfsg.1-1          server-side, HTML-embedded scripti
ii  libphp-adodb    5.09a-1                  The ADOdb database abstraction lay
ii  mysql-client-5. 5.0.51a-24+lenny2        MySQL database client binaries
ii  php5            5.2.11.dfsg.1-1          server-side, HTML-embedded scripti
ii  php5-mysql      5.2.11.dfsg.1-1          MySQL module for php5
ii  smarty          2.6.26-0.1               Template engine for PHP
ii  wwwconfig-commo 0.2.1                    Debian web auto configuration

Versions of packages gallery2 recommends:
ii  dcraw              8.86-1                decode raw digital camera images
ii  ffmpeg             5:0.5+svn20091224-0.0 audio/video encoder, streaming ser
ii  jhead              1:2.88-1              manipulate the non-image part of E
ii  libjpeg-progs      7-1                   Programs for manipulating JPEG fil
ii  php5-gd            5.2.11.dfsg.1-1       GD module for php5
ii  unzip              5.52-12               De-archiver for .zip files
ii  zip                2.32-1                Archiver for .zip files

Versions of packages gallery2 suggests:
ii  mysql-server-5.0 [mysq 5.0.51a-24+lenny2 MySQL database server binaries

-- debconf information:
  gallery2/webserver_type: apache, apache-ssl, apache-perl, apache2
  gallery2/mysql/dbname: gallery2
* gallery2/mysql/dbserver: localhost
  gallery2/mysql/configure: true
* gallery2/restart-webserver: false
  gallery2/purge: true
* gallery2/mysql/dbadmin: root



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to