Date: Wed, 12 Aug 2015 01:03:17 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-ports-bugs@FreeBSD.org Subject: [Bug 202262] sysutils/froxlor: database password information leak (CVE-2015-5959) Message-ID: <bug-202262-13@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=202262 Bug ID: 202262 Summary: sysutils/froxlor: database password information leak (CVE-2015-5959) Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: Individual Port(s) Assignee: freebsd-ports-bugs@FreeBSD.org Reporter: junovitch@freebsd.org CC: coco@executive-computing.de CC: coco@executive-computing.de Flags: maintainer-feedback?(coco@executive-computing.de) Maintainer of sysutils/froxlor, There is a security advisory relevant to the current version of Froxlor in the ports collection. Affects ===== - Froxlor 0.9.33.1 and earlier Fixed ==== - Froxlor 0.9.33.2 Summary ======== An unauthenticated remote attacker is able to get the database password via webaccess due to wrong file permissions of the /logs/ folder in froxlor version 0.9.33.1 and earlier. The plain SQL password and username may be stored in the /logs/sql-error.log file. This directory is publicly reachable under the default configuration/setup. Full Source Reference is available: http://seclists.org/oss-sec/2015/q3/238 -- You are receiving this mail because: You are the assignee for the bug.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-202262-13>