Finn-Arne Johansen wrote:
> Package: gosa
> Version: 2.5.6-2
> Severity: critical
> Tags: security
> Justification: root security hole
>
>
> The documentation in gosa tells the admin to install gosa.conf under
> /etc/gosa/gosa.conf, and to make it readable by the group www-data.
> In this configuration file, the ldap admin password is stored in
> cleartext. Any process running under the web process can now read that
> file, and if the same ldap users was used for authenticating , it would
> be rather easy to create a user with root access.
Honestly, what solution would you propose for a process running as
www-data to access a password which can not be read by other processes
running as www-data?
> this litle script placed under my ~/public_html/ revealed the password
> on my server
> <?php system ('cat /etc/gosa/gosa.conf') ; ?>
As usual, it's sad, but if you allow random users to use self-written
PHP scripts, they can access everything that the www-data user can
access. It may be different with suhosin.
As a general rule, users don't belong on services machines, if you
want to avoid such problems.
Regards,
Joey
--
Long noun chains don't automatically imply security. -- Bruce Schneier
Please always Cc to me when replying to me on the lists.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
