Bug 71228

Summary:	webapp-config leaks information
Product:	Gentoo Security	Reporter:	Michael Locher <xray>
Component:	Vulnerabilities	Assignee:	Gentoo Web Application Packages Maintainers <web-apps>
Status:	RESOLVED FIXED
Severity:	normal	CC:	rockoo
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---

Description Michael Locher 2004-11-14 17:51:36 UTC

webapp-config creates unprotected .webapp files for all installed webapplications in the DocumentRoot.
the information in these files should not be available to all clients of the webserver.

Reproducible: Always
Steps to Reproduce:
1. Use webapp-config to deploy a webapp (eg. webapp-config -I phpmyadmin ...)


Actual Results:  
Unprotected information is available at http://localhost/phpmyadmin/.webapp

# .webapp
#	config file for this copy of phpmyadmin/2.6.0_p2
#	
#	automatically created by Gentoo's webapp-config
#	do NOT edit this file by hand

WEB_PN="phpmyadmin"
WEB_PVR="2.6.0_p2"
WEB_INSTALLEDBY="root"
WEB_INSTALLEDDATE="2004-11-14 20:04:47"
WEB_INSTALLEDFOR="root:root"
WEB_HOSTNAME="localhost"
WEB_INSTALLDIR="/phpmyadmin"

Expected Results:  
webapp-config should store its administrative information outside the DocumentRoot 

The reported behaviour occured with net-www/webapp-config-1.10-r11

Comment 1 solar (RETIRED) gentoo-dev

2004-11-14 18:33:40 UTC

I don't think is a real security problem. Reassigning to the maintainer.

Stuart, others.
Please make these files 'o-r' by default if you can.

Comment 2 Stuart Herbert (RETIRED) gentoo-dev

2005-05-30 04:14:08 UTC

webapp-config v1.11 will create these files as '0600'.  I've no plans to move 
them out of the DocumentRoot, tho, as it makes it a lot easier to cope when 
people move directories around on webservers.

Best regards,
Stu