Package: owncloud Version: 4.0.1debian-1 Severity: important Hi,
When you install owncloud, set up a MySQL/PostgreSQL database and then visit http://<host>/owncloud/, it generates the configurationf file /etc/owncloud/config.php. However, this file is readable by all users, which thereby gives them access to the database! This files should have mode 600 or 640 (given that it's owned by www-data:www-data). Cheers, Paul -- System Information: Debian Release: wheezy/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-2-amd64 (SMP w/3 CPU cores) Locale: LANG=nl_NL.UTF-8, LC_CTYPE=nl_NL.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages owncloud depends on: ii apache2 2.2.22-5 ii apache2-mpm-prefork [httpd] 2.2.22-5 ii libjs-jquery 1.7.2+debian-1 ii libjs-jquery-jplayer 2.1.0-1 ii libjs-jquery-ui 1.8.ooops.20+dfsg-1 ii libphp-phpmailer 5.1-1 ii owncloud-mysql 4.0.1debian-1 ii php-crypt-blowfish 1.1.0~RC2-1 ii php-getid3 1.9.3-1 ii php-mdb2 2.5.0b3-2 ii php-mdb2-schema 0.8.5-1 ii php-pear 5.4.0-3 ii php-sabredav 1.6.2-1 ii php-xml-parser 1.3.4-4 ii php5 5.4.0-3 ii php5-curl 5.4.0-3 ii php5-gd 5.4.0-3 Versions of packages owncloud recommends: ii exim4 4.77-1 ii exim4-daemon-light [mail-transport-agent] 4.77-1+b1 owncloud suggests no packages. -- Configuration Files: /etc/apache2/conf.d/owncloud.conf changed [not included] -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org