Package: ocsinventory-reports Version: 1.02.2-1.1 Severity: normal When /etc/ocsinventory/dbconfig.inc.php has been deleted (e.g. by bug #613609, which seems to be the result of something mentioned in README.Debian but not in NEWS.Debian), OCS Inventory's web interface prompts for the password to be re-entered (so that it can create a new dbconfig.inc.php) using what appears to be the same form as install.php uses: an "OCS Inventory Installation" page containing a form pre-filled with the username and password for that OCS Inventory normally uses to access its database.
This behavior is reasonably safe if it's actually being accessed through install.php and the default restrictions on where install.php can be accessed from are in place, but in this situation it's accessible from anywhere that the OCS Inventory web interface is. To be clear: the URL is <https://my-server/ocsreports/>, and thus the restriction on install.php in ocsreports.conf does not apply. I encountered this problem on an upgrade of an existing installation from lenny to squeeze. Steps to reproduce: 1: Upgrade from lenny to squeeze, OR simulate bug #613609 by removing /etc/ocsinventory/dbconfig.inc.php. 2: Point web browser at OCS Inventory web interface and examine the source of the page that is returned. -- System Information: Debian Release: 6.0.2 APT prefers oldstable APT policy: (500, 'oldstable'), (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.26-2-686 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages ocsinventory-reports depends on: ii apache2 2.2.16-6+squeeze1 Apache HTTP Server metapackage ii apache2-mpm-prefork [a 2.2.16-6+squeeze1 Apache HTTP Server - traditional n ii dbconfig-common 1.8.46+squeeze.0 common framework for packaging dat ii debconf [debconf-2.0] 1.5.36.1 Debian configuration management sy ii libapache2-mod-php5 5.3.3-7+squeeze1 server-side, HTML-embedded scripti ii php5 5.3.3-7+squeeze1 server-side, HTML-embedded scripti ii php5-mysql 5.3.3-7+squeeze1 MySQL module for php5 ii ucf 3.0025+nmu1 Update Configuration File: preserv Versions of packages ocsinventory-reports recommends: ii libdbd-mysql-perl 4.016-1 Perl5 database interface to the My ii libdbi-perl 1.612-1 Perl Database Interface (DBI) ii libnet-ip-perl 1.25-2 Perl extension for manipulating IP ii libxml-simple-per 2.18-3 Perl module for reading and writin ii nmap 5.00-3 The Network Mapper ii ocsinventory-serv 1.02.2-1.1 Hardware and software inventory to ii php5-gd 5.3.3-7+squeeze1 GD module for php5 ii samba-common 2:3.5.6~dfsg-3squeeze4 common files used by both the Samb ocsinventory-reports suggests no packages. -- Configuration Files: /etc/ocsinventory/ocsreports.conf changed: Alias /ocsreports /usr/share/ocsinventory-server/ocsreports Alias /download /var/lib/ocsinventory-server/download <Directory /usr/share/ocsinventory-server/ocsreports/> Order deny,allow Deny from all Allow from 127.0.0.0/255.0.0.0 ::1/128 Allow from 155.101.89.0/255.255.255.0 #for waoki: Allow from 166.70.27.133 SSLRequireSSL Options Indexes FollowSymLinks DirectoryIndex index.php # Authorize for setup <Files install.php> # For Apache 1.3 and 2.0 <IfModule mod_auth.c> AuthType Basic AuthName "OCS Reports Setup" AuthUserFile /etc/ocsinventory/htpasswd.setup </IfModule> # For Apache 2.2 <IfModule mod_authn_file.c> AuthType Basic AuthName "OCS Reports Setup" AuthUserFile /etc/ocsinventory/htpasswd.setup </IfModule> Require valid-user </Files> <IfModule mod_php4.c> AddType application/x-httpd-php .php php_value post_max_size 8m php_value upload_max_filesize 8m </IfModule> <IfModule mod_php5.c> AddType application/x-httpd-php .php php_value post_max_size 8m php_value upload_max_filesize 8m </IfModule> </Directory> -- debconf information: ocsinventory-reports/remote/host: ocsinventory-reports/upgrade-backup: true ocsinventory-reports/mysql/admin-user: root ocsinventory-reports/database-type: mysql ocsinventory-reports/missing-db-package-error: abort ocsinventory-reports/dbconfig-upgrade: true ocsinventory-reports/purge: false ocsinventory-reports/install-error: abort ocsinventory-reports/remove-error: abort ocsinventory-reports/dbconfig-reinstall: false ocsinventory-reports/dbconfig-install: true ocsinventory-reports/internal/skip-preseed: true ocsinventory-reports/passwords-do-not-match: ocsinventory-reports/upgrade-error: abort ocsinventory-reports/remote/port: ocsinventory-reports/remote/newhost: ocsinventory-reports/internal/reconfiguring: false ocsinventory-reports/setup-username: admin ocsinventory-reports/db/dbname: ocsweb ocsinventory-reports/mysql/method: unix socket ocsinventory-reports/db/app-user: ocs ocsinventory-reports/dbconfig-remove: -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
