thr3ads.net - Secure testing team - [Secure-testing-team] Bug#579087: [prosody] Database directory, including plaintext password is world readable [Apr 2010]

If this information is useful, please help other people find it:
Share via:

Adrien Clerc

2010-Apr-25 08:35 UTC

[Secure-testing-team] Bug#579087: [prosody] Database directory, including plaintext password is world readable

Package: prosody
Version: 0.6.2-1
Severity: normal
Tags: security
X-Debbugs-CC: secure-testing-team at lists.alioth.debian.org

--- Please enter the report below this line. ---
Hi,

It seems that /var/lib/prosody and all subdirectory and files are world 
readable. Since those files can contain plaintext password, it is very 
annoying for public servers.

Please make sure that database can only be read by the prosody user.

--- System information. ---
Architecture: i386
Kernel: Linux 2.6.32-3-686

Debian Release: squeeze/sid
500 unstable ftp.fr.debian.org

--- Package information. ---
Depends (Version) | Installed
=======================================-+-=============adduser | 3.112
openssl | 0.9.8n-1
lua5.1 |
liblua5.1-0 | 5.1.4-5
liblua5.1-expat0 |
liblua5.1-socket2 |
libc6 (>= 2.2) | 2.10.2-6
libidn11 (>= 1.13) | 1.18-1
libssl0.9.8 (>= 0.9.8m-1) | 0.9.8n-1
liblua5.1-filesystem0 |


Recommends (Version) | Installed
=============================-+-==========liblua5.1-sec1 |


Package''s Suggests field is empty.

Secure testing team - Apr 2010 - Bug#579087: [prosody] Database directory, including plaintext password is world readable

[Secure-testing-team] Bug#579087: [prosody] Database directory, including plaintext password is world readable