Bug#518518: marked as done (backuppc: web frontend installed insecurely by default)

Sat, 27 Jun 2009 09:51:44 -0700 

Your message dated Sat, 27 Jun 2009 16:04:17 +0000
with message-id <e1mkao1-00010q...@ries.debian.org>
and subject line Bug#518518: fixed in backuppc 3.1.0-4lenny1
has caused the Debian Bug report #518518,
regarding backuppc: web frontend installed insecurely by default
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
518518: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=518518
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: backuppc
Version: 3.1.0-4
Severity: grave
Tags: security
Justification: user security hole

Hi,

The CGI script of the web frontend is installed setuid to the backuppc user.
This means that any local user of the system can run the CGI script as the
backuppc user. The CGI script simply reads the REMOTE_USER environment
variable to check permissions which can be faked by the invoking user. The
CGI also seems to treat the absense of the REMOTE_USER variable as allowing
full access!

As an example on a default install that backs up /etc (the 'localhost' host)
the following command will reveal the password hashes for the web interface
(stored in /etc/backuppc/htpasswd and which should be readable only by the
backuppc user):

/usr/share/backuppc/cgi-bin/index.cgi action=RestoreFile host=localhost num=0 
share=/etc dir=/backuppc/htpasswd

Note that if backuppc is used to fully backup other machines as root (the
recommended configuration) then it is possible using this method to read files
such as the backed up /etc/shadow !!

Thanks,

Steve

-- System Information:
Debian Release: 5.0
  APT prefers stable
  APT policy: (601, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-686 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages backuppc depends on:
ii  adduser                  3.110           add and remove users and groups
ii  apache2                  2.2.9-10+lenny2 Apache HTTP Server metapackage
ii  apache2-mpm-worker [http 2.2.9-10+lenny2 Apache HTTP Server - high speed th
ii  bzip2                    1.0.5-1         high-quality block-sorting file co
ii  debconf [debconf-2.0]    1.5.24          Debian configuration management sy
ii  dpkg                     1.14.25         Debian package management system
ii  libarchive-zip-perl      1.18-1          Module for manipulation of ZIP arc
ii  libcompress-zlib-perl    2.012-1         Perl module for creation and manip
ii  perl [libdigest-md5-perl 5.10.0-19       Larry Wall's Practical Extraction 
ii  perl-suid                5.10.0-19       Runs setuid Perl scripts
ii  samba-common             2:3.2.5-4       Samba common files used by both th
ii  smbclient                2:3.2.5-4       a LanManager-like simple client fo
ii  tar                      1.20-1          GNU version of the tar archiving u

Versions of packages backuppc recommends:
ii  exim4                        4.69-9      metapackage to ease Exim MTA (v4) 
ii  exim4-daemon-light [mail-tra 4.69-9      lightweight Exim MTA (v4) daemon
ii  libfile-rsyncp-perl          0.68-1.1+b1 A perl based implementation of an 
ii  openssh-client [ssh-client]  1:5.1p1-5   secure shell client, an rlogin/rsh
ii  rrdtool                      1.3.1-4     Time-series data storage and displ
ii  rsync                        3.0.3-2     fast remote file copy program (lik

Versions of packages backuppc suggests:
ii  iceweasel [www-browser]     3.0.6-1      lightweight web browser based on M
ii  links [www-browser]         2.1pre37-1.1 Web browser running in text mode
pn  par2                        <none>       (no description available)
ii  w3m [www-browser]           0.5.2-2+b1   WWW browsable pager with excellent

-- debconf information:
  backuppc/restart-webserver: true
* backuppc/configuration-note:
* backuppc/reconfigure-webserver: apache2

--- End Message ---
--- Begin Message --- 
Source: backuppc
Source-Version: 3.1.0-4lenny1

We believe that the bug you reported is fixed in the latest version of
backuppc, which is due to be installed in the Debian FTP archive:

backuppc_3.1.0-4lenny1.diff.gz
  to pool/main/b/backuppc/backuppc_3.1.0-4lenny1.diff.gz
backuppc_3.1.0-4lenny1.dsc
  to pool/main/b/backuppc/backuppc_3.1.0-4lenny1.dsc
backuppc_3.1.0-4lenny1_all.deb
  to pool/main/b/backuppc/backuppc_3.1.0-4lenny1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 518...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ludovic Drolez <ldro...@debian.org> (supplier of updated backuppc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 31 Mar 2009 14:39:24 +0200
Source: backuppc
Binary: backuppc
Architecture: source all
Version: 3.1.0-4lenny1
Distribution: stable-proposed-updates
Urgency: high
Maintainer: Ludovic Drolez <ldro...@debian.org>
Changed-By: Ludovic Drolez <ldro...@debian.org>
Description: 
 backuppc   - high-performance, enterprise-grade system for backing up PCs
Closes: 518518
Changes: 
 backuppc (3.1.0-4lenny1) stable-proposed-updates; urgency=high
 .
   * Fix the permissions of the CGI script. Closes: #518518
   * Fix the permissions of htpasswd/htgroup files
Checksums-Sha1: 
 0cfd2f5e8f0e7b5ad0851d9bf2b1acb6c493a8ba 1033 backuppc_3.1.0-4lenny1.dsc
 7bb883062c874937468eb6ffaac12e398828dcc2 24826 backuppc_3.1.0-4lenny1.diff.gz
 1f54257842c31ce47af723b309a177a39f97fbef 541574 backuppc_3.1.0-4lenny1_all.deb
Checksums-Sha256: 
 1239212a646995455ddf4ef3a638f9a497287e8139dbb233c93506bc6b8b070d 1033 
backuppc_3.1.0-4lenny1.dsc
 35782f694ee7aad440578588b814d880070eaa3be70bc778d9b3b755c1c25529 24826 
backuppc_3.1.0-4lenny1.diff.gz
 51d23c346180ed56fef2bc5cb67e58936e9a425cddcb13861d2daa55e3ef3ed8 541574 
backuppc_3.1.0-4lenny1_all.deb
Files: 
 56f372629f9a81a4a4b9c5818f865a13 1033 utils optional backuppc_3.1.0-4lenny1.dsc
 27e3d76fc06124866066ce2d40fa6842 24826 utils optional 
backuppc_3.1.0-4lenny1.diff.gz
 d406b160a139d2def316a0b9093ffa47 541574 utils optional 
backuppc_3.1.0-4lenny1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkomSxUACgkQsRlQAP1GpphL4wCeKyZibnCA/0gn9oZKlVnnLPGE
Jm4An34HkglYOp0pr7QxVIvbv73SlZwg
=+8qp
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to