Package: webcalendar Version: 0.9.45-4 Severity: critical [EMAIL PROTECTED]:/etc/webcalendar$ ls -l /etc/webcalendar/ total 88 -rw-r--r-- 1 root root 487 May 18 18:39 apache.conf -rw-r--r-- 1 root root 461 Nov 11 2004 print_styles.css -rw-r--r-- 1 www-data www-data 378 Apr 25 11:52 settings.php -rw-r--r-- 1 root root 369 Apr 20 11:06 settings.php.old -rw-r--r-- 1 root root 774 Dec 28 23:22 settings.php.tpl -rw-r--r-- 1 root root 6701 Nov 16 2004 site_extras.php -rw-r--r-- 1 root root 21879 Dec 7 2004 styles.php -rw-r--r-- 1 root root 12133 Dec 14 01:09 user-ldap.php -rw-r--r-- 1 root root 11417 Nov 16 2004 user-nis.php -rw-r--r-- 1 root root 11647 Nov 25 2004 user.php
All configuration files are world-readable. As settings.php includes a clear-text password and login to the database, this it highly unsecure, hence the severity critical. Wish I had seen this before Sarge's release. Thanks -- Jerome Warnier <[EMAIL PROTECTED]> BeezNest -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
