Package: tntnet Version: 2.1-2 Severity: grave Dear Maintainer,
the default configuration of the tntnet package contains this line: MapUrl ^/(.*)$ static@tntnet /$1 This causes the whole filesystem to be exported via HTTP, thus allowing all files readable by the user www-data on the whole system to be downloaded via HTTP. For example a GET request to http://hostname/etc/passwd will return the /etc/passwd file. The line should be changed like this: MapUrl ^/(.*)$ static@tntnet /var/www/$1 -- System Information: Debian Release: 7.1 APT prefers stable APT policy: (1051, 'stable'), (500, 'stable') Architecture: i386 (x86_64) Kernel: Linux 3.4.60 (SMP w/16 CPU cores) Locale: LANG=C, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
