webapp-config creates unprotected .webapp files for all installed webapplications in the DocumentRoot. the information in these files should not be available to all clients of the webserver. Reproducible: Always Steps to Reproduce: 1. Use webapp-config to deploy a webapp (eg. webapp-config -I phpmyadmin ...) Actual Results: Unprotected information is available at http://localhost/phpmyadmin/.webapp # .webapp # config file for this copy of phpmyadmin/2.6.0_p2 # # automatically created by Gentoo's webapp-config # do NOT edit this file by hand WEB_PN="phpmyadmin" WEB_PVR="2.6.0_p2" WEB_INSTALLEDBY="root" WEB_INSTALLEDDATE="2004-11-14 20:04:47" WEB_INSTALLEDFOR="root:root" WEB_HOSTNAME="localhost" WEB_INSTALLDIR="/phpmyadmin" Expected Results: webapp-config should store its administrative information outside the DocumentRoot The reported behaviour occured with net-www/webapp-config-1.10-r11
I don't think is a real security problem. Reassigning to the maintainer. Stuart, others. Please make these files 'o-r' by default if you can.
webapp-config v1.11 will create these files as '0600'. I've no plans to move them out of the DocumentRoot, tho, as it makes it a lot easier to cope when people move directories around on webservers. Best regards, Stu
