Package: piwigo Version: 2.1.2-3 Severity: important If the SQLite option is selected while installing piwigo, the sqlite database is installed in /usr/share/piwigo/web/_data directory. While the included default Apache configuration prevents access to the directory index, it does not prevent an attacker from retrieving the file by wirting the full path to SQLite database file.
This bug might cause disclosure of sensitive information like hashed passwords. -- System Information: Debian Release: 6.0.2 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.32-5-686-bigmem (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
