Hi, On Sun, Apr 13, 2008 at 3:02 PM, Marc 'HE' Brockschmidt <[EMAIL PROTECTED]> wrote: > The difference in this case is that very many things (pick your > favourite web application) run with the www-data uid.
yes and every web application has read access to /etc/otrs/database.pm which means it can create havoc in the database, install stored procedures and so on. Every other webapp with a database has the same problem - not only otrs. It is the duty of the local admin to make sure that the installation is safe. I do not understand what is so special about otrs that many people are writing useless bug reports. > While it is hard > to construct a scenario where an attacker gains access to the postgres > user without cracking the whole system, the problems in web applications > are so common that on any webserver, files owned by the www-data user > should be considered as published to the web. It is not hard to modify foreign databases when it comes to webapps that are executed by the same httpd user and BTW stored procedures are executed in the context of the postgres user. Torsten -- http://twerner.blogspot.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
