[Koha-bugs] [Bug 6627] New: [security] insecure file creation
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Mon Jul 25 10:02:48 CEST 2011
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6627
Bug #: 6627
Summary: [security] insecure file creation
Classification: Unclassified
Change sponsored?: ---
Product: Koha
Version: unspecified
Platform: All
OS/Version: All
Status: NEW
Severity: critical
Priority: P5
Component: Architecture, internals, and plumbing
AssignedTo: gmcharlt at gmail.com
ReportedBy: semarie-koha at latrappe.fr
QAContact: koha-bugs at lists.koha-community.org
Some files are insecurely created in /tmp system-directory.
File: C4/Auth.pm
'/tmp/sessionlog'
File: installer/InstallAuth.pm
'/tmp/sessionlog'
File: installer/externalmodules.pl
'/tmp/modulesKoha.log'
File: C4/Print.pm
'/tmp/kohares'
As all have well-know names, don't survive a reboot and are hosted in 1777
directory (/tmp), it is possible, for *any* user on the host, to create a
symlink, that koha will use to alter any files (respecting his permissions).
I suggest to create (and use) a special directory for all of them. The debian
place should be /var/lib/koha/. This directory should be readable/writeable by
the apache user (www-data) only (and eventually, by the owner of crontab, if
need).
--
Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA Contact for the bug.
More information about the Koha-bugs
mailing list