Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 57514

Summary: Security hole: Horde test.php files should be chmod'd to 0
Product: Gentoo Linux Reporter: Mike Nerone <mike>
Component: Current packagesAssignee: SpanKY <vapier>
Status: RESOLVED FIXED    
Severity: major    
Priority: High    
Version: 2004.0   
Hardware: All   
OS: All   
Whiteboard:
Package list:
Runtime testing required: ---

Description Mike Nerone 2004-07-18 13:32:11 UTC 
Most (all?) Horde applications come with test.php files intended to help the administrator determine if all needed applications are in place, etc. They can provide a wealth of information (including full output of phpinfo()) to a cracker, and are intended to be disabled for normal use. In the interest of security, ebuilds should chmod them to 0 at installation (the admin can enable them explicitly when testing).

In fact, horde-2.2.5.ebuild already does this chmod explicitly in the ebuild. Ebuilds for other horde components don't, though. I submit that this chmod should be put into the eclass in horde_src_install().
Comment 1 SpanKY gentoo-dev 2004-07-18 17:49:04 UTC 
hmm, didnt realize other plugins came with test.php, thought just horde did
Comment 2 SpanKY gentoo-dev 2004-07-30 06:23:21 UTC 
added to the eclass, thanks