Le vendredi 10 juin 2005 à 16:20 -0400, Tim Peeler a écrit : > Could you double-check that version? Version 0.9.45-4 fixes this bug. I'm positively sure about the current version, though I think it was an upgrade from an older version. Could you tell me what it should look like with a fresh install?
> On Fri, Jun 10, 2005 at 11:54:35AM +0200, Jerome Warnier wrote: > > Package: webcalendar > > Version: 0.9.45-4 > > Severity: critical > > > > [EMAIL PROTECTED]:/etc/webcalendar$ ls -l /etc/webcalendar/ > > total 88 > > -rw-r--r-- 1 root root 487 May 18 18:39 apache.conf > > -rw-r--r-- 1 root root 461 Nov 11 2004 print_styles.css > > -rw-r--r-- 1 www-data www-data 378 Apr 25 11:52 settings.php > > -rw-r--r-- 1 root root 369 Apr 20 11:06 settings.php.old > > -rw-r--r-- 1 root root 774 Dec 28 23:22 settings.php.tpl > > -rw-r--r-- 1 root root 6701 Nov 16 2004 site_extras.php > > -rw-r--r-- 1 root root 21879 Dec 7 2004 styles.php > > -rw-r--r-- 1 root root 12133 Dec 14 01:09 user-ldap.php > > -rw-r--r-- 1 root root 11417 Nov 16 2004 user-nis.php > > -rw-r--r-- 1 root root 11647 Nov 25 2004 user.php > > > > > > All configuration files are world-readable. As settings.php includes a > > clear-text password and login to the database, this it highly unsecure, > > hence the severity critical. Wish I had seen this before Sarge's > > release. > > > > Thanks > > -- > > Jerome Warnier <[EMAIL PROTECTED]> > > BeezNest > > > > > -- Jerome Warnier <[EMAIL PROTECTED]> BeezNest
