Date: Tue, 12 Jul 2011 05:36:56 GMT From: Hartmann@FreeBSD.org, "O." <ohartman@zedat.fu-berlin.de> To: freebsd-gnats-submit@FreeBSD.org Subject: ports/158824: devel/flyspray: share/flyspray/flyspray.conf.php remains with access mode rw-rw-rw after new installation! Message-ID: <201107120536.p6C5auC5082894@red.freebsd.org> Resent-Message-ID: <201107120540.p6C5e7t7014397@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 158824 >Category: ports >Synopsis: devel/flyspray: share/flyspray/flyspray.conf.php remains with access mode rw-rw-rw after new installation! >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Jul 12 05:40:06 UTC 2011 >Closed-Date: >Last-Modified: >Originator: Hartmann, O. >Release: FreeBSD 8.2/9.0 >Organization: FU Berlin >Environment: >Description: After an installation of devel/flyspray, the PHP config file in /usr/local/share/flyspray, called flyspray.conf.php, remains world read- and writable. This file contains the access credentials for accessing the admin account for the flyspray database. it should be protected more carefully according to the setup, say r------ (octal 400). If one does not take care about this the server remains a kind of vulnerable after flyspray installation and setup. >How-To-Repeat: Install devel/flyspray. >Fix: >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201107120536.p6C5auC5082894>