Package: exim4-config Version: 4.80-7+deb7u1 Severity: grave Tags: security Justification: user security hole
Hi folks, suppose you have set up an exim4 which provides virtual mailing, managing domains/accounts in a DB, say mysql. Just adding mysql queries and DB-*authentication data* to the exim4 templates (both single file or split files configuration) will result in information disclosure of all virtual mail users/passwords to users which have either shell access, or can run scripts on the webserver (cgi, php, $whatever) or have any other means to access these paths: * /etc/exim4/exim4.conf.template * /etc/conf.d/ * /var/lib/exim4/config.autogenerated I strongly suggest to change modes of * /etc/exim4 * /var/lib/exim4 to o-rwx. Thanks Daniel -- Package-specific info: Exim version 4.80 #2 built 24-Jul-2014 03:28:02 Copyright (c) University of Cambridge, 1995 - 2012 (c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2012 Berkeley DB: Berkeley DB 5.1.29: (October 25, 2011) Support for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc GnuTLS move_frozen_messages Content_Scanning DKIM Old_Demime Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz dnsdb dsearch ldap ldapdn ldapm mysql nis nis0 passwd pgsql sqlite Authenticators: cram_md5 cyrus_sasl dovecot plaintext spa Routers: accept dnslookup ipliteral iplookup manualroute queryprogram redirect Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp Fixed never_users: 0 Size of off_t: 8 Configuration file is /var/lib/exim4/config.autogenerated -- System Information: Debian Release: 7.8 APT prefers stable APT policy: (990, 'stable'), (500, 'stable-updates'), (500, 'proposed-updates') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages exim4-config depends on: ii adduser 3.113+nmu3 ii debconf [debconf-2.0] 1.5.49 exim4-config recommends no packages. exim4-config suggests no packages. -- debconf information excluded -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org