Hi, there is bad permission of /var/log/teamspeak2-server/server.log file. This file is no-reasonably world-readable
And in this file is printed password of ts2 (super)admin.
This is a binary package, and the file isn't installed by us. This file is created by the application. Please report this upstream
lefti will you report it upstream or should the Security Team handle it?
TS2 developers said me "This isn't bug".
Mhmm. World-readable admin password is not a bug, did I get that right? Mhmm. Impressive. In that case, I am quite happy, that I don't have that software on my machines.
not a bug for them, but I still don't like that. Since its a binary package, we probably have no possibilities to fix this on our own. What about masking it until they change their opinion?
I agree on masking this one.
Well, I am not in the security team and no developer. But I also don't like that and think, that (potential) users should be warned about that password disclosure. Masking the package until the problem is solved seems to be the best way (available for Gentoo) do deal with the problem, I believe.
(In reply to comment #5) > Impressive. Yes ! maybe it comes from : einfo "The Teamspeak Server generates the admin and superadmin" einfo "passwords on the fly. To get them, please look in:" einfo "/var/log/teamspeak2-server/server.log" but since the one who installs the soft (and start it) should be the root, this is completely unuseful... Will try to find a workaround but not sure to fulfil it :)
Some news here. I installed the soft, and it reveals than the logfile is NOT world-readable : $ lld /var/log/teamspeak2-server drwx------ 2 teamspeak2 root 104 Apr 1 17:53 /var/log/teamspeak2-server It is not a security issue as for me.
This looks INVALID, please reopen if you disagree. Thanks Raphael.
