On Sun, 29 Jan 2006, Norbert Tretkowski wrote:
* will guaraldi wrote:
I discovered this vulnerability while playing with pyblosxom, which
uses python files to store configuration information. The way it is
packaged by Debian, the global config file /etc/pyblosxom/config.py
is created with 640 permissions, owned by the root user and the
www-data group, of which apache httpd is a member. When the config
file is imported by pyblosxom, a config.pyc is created with 644
permissions. If, for example, an XMLRPC password is specified in
that file, it will be readable by any user.
I'm not sure how to go about dealing with this though feel free to
toss me an email so we can discuss and see if it's something I need
to fix in PyBlosxom proper or something you can fix in the Debian
package.
On Debian systems, there's no config.pyc created, so I'm a bit puzzled
about this bugreport.
Well, there's no config.pyc file created at install time. But if someone
sets up their blog and points their blog at /etc/pyblosxom/config.py, then
when PyBlosxom runs, it'll create the config.pyc file in that directory.
I'm not really sure how to go about fixing it in PyBlosxom proper. To be
honest, I'm not sure why config.py gets put in /etc/pyblosxom/ . Is the
theory that someone will copy it from there to their blog directory and
then configure config.py in the new location? Or are they supposed to
configure config.py in /etc/pyblosxom/ ? I would think the latter isn't
particularly great since it prevents more than one user to use PyBlosxom
on a given machine.
/will
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
