* will guaraldi wrote: >> I discovered this vulnerability while playing with pyblosxom, which >> uses python files to store configuration information. The way it is >> packaged by Debian, the global config file /etc/pyblosxom/config.py >> is created with 640 permissions, owned by the root user and the >> www-data group, of which apache httpd is a member. When the config >> file is imported by pyblosxom, a config.pyc is created with 644 >> permissions. If, for example, an XMLRPC password is specified in >> that file, it will be readable by any user. > > I'm not sure how to go about dealing with this though feel free to > toss me an email so we can discuss and see if it's something I need > to fix in PyBlosxom proper or something you can fix in the Debian > package.
On Debian systems, there's no config.pyc created, so I'm a bit puzzled about this bugreport. Norbert -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]