Cajus Pollmeier skrev:
> Am Donnerstag 07 Dezember 2006 14:37 schrieb Finn-Arne Johansen:
>> Package: gosa
>> Version: 2.5.6-2
>> Severity: critical
>> Tags: security
>> Justification: root security hole
>>
>>
>> The documentation in gosa tells the admin to install gosa.conf under
>> /etc/gosa/gosa.conf, and to make it readable by the group www-data.
>> In this configuration file, the ldap admin password is stored in
>> cleartext. Any process running under the web process can now read that
>> file, and if the same ldap users was used for authenticating , it would
>> be rather easy to create a user with root access.
>>
>> this litle script placed under my ~/public_html/ revealed the password
>> on my server
>> <?php system ('cat /etc/gosa/gosa.conf') ; ?>
>
> So, do you have another solution, actually? Any web application that stores
> information about passwords has the same problem, you can simply get
> passwords to mysql databases, etc.
>
> Don't use public stuff on these administrative servers. I'm not responsible
> for configuring your PHP installation, i.e. use PHPs secure mode to avoid
> these cases.
Please add these notes to the explenation or at least to the
README.Debian file
Someone thought about adding gosa as the user admin tool for Debian-Edu,
until I pointed this out.
--
Finn-Arne Johansen
[EMAIL PROTECTED] http://bzz.no/
EE2A71C6403A3D191FCDC043006F1215062E6642 062E6642
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
