[Bug 202262] sysutils/froxlor: database password information leak (CVE-2015-5959)
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Wed Aug 12 01:03:18 UTC 2015
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=202262
Bug ID: 202262
Summary: sysutils/froxlor: database password information leak
(CVE-2015-5959)
Product: Ports & Packages
Version: Latest
Hardware: Any
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: Individual Port(s)
Assignee: freebsd-ports-bugs at FreeBSD.org
Reporter: junovitch at freebsd.org
CC: coco at executive-computing.de
CC: coco at executive-computing.de
Flags: maintainer-feedback?(coco at executive-computing.de)
Maintainer of sysutils/froxlor,
There is a security advisory relevant to the current version of Froxlor in the
ports collection.
Affects
=====
- Froxlor 0.9.33.1 and earlier
Fixed
====
- Froxlor 0.9.33.2
Summary
========
An unauthenticated remote attacker is able to get the database password via
webaccess due to wrong file permissions of the /logs/ folder in froxlor version
0.9.33.1 and earlier. The plain SQL password and username may be stored in the
/logs/sql-error.log file. This directory is publicly reachable under the
default configuration/setup.
Full Source Reference is available:
http://seclists.org/oss-sec/2015/q3/238
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-ports-bugs
mailing list