http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6627
Bug #: 6627
Summary: [security] insecure file creation
Classification: Unclassified
Change sponsored?: ---
Product: Koha
Version: unspecified
Platform: All
OS/Version: All
Status: NEW
Severity: critical
Priority: P5
Component: Architecture, internals, and plumbing
AssignedTo: [email protected]
ReportedBy: [email protected]
QAContact: [email protected]
Some files are insecurely created in /tmp system-directory.
File: C4/Auth.pm
'/tmp/sessionlog'
File: installer/InstallAuth.pm
'/tmp/sessionlog'
File: installer/externalmodules.pl
'/tmp/modulesKoha.log'
File: C4/Print.pm
'/tmp/kohares'
As all have well-know names, don't survive a reboot and are hosted in 1777
directory (/tmp), it is possible, for *any* user on the host, to create a
symlink, that koha will use to alter any files (respecting his permissions).
I suggest to create (and use) a special directory for all of them. The debian
place should be /var/lib/koha/. This directory should be readable/writeable by
the apache user (www-data) only (and eventually, by the owner of crontab, if
need).
--
Configure bugmail:
http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA Contact for the bug.
_______________________________________________
Koha-bugs mailing list
[email protected]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
