Package: webcalendar Version: 1.0.4-1 Severity: serious Tags: security Hi,
When doing a default Debian install of webcalendar, you end up with a
configuration that has register_globals set to On:
<DirectoryMatch /usr/share/webcalendar/www/>
Options +FollowSymLinks
AllowOverride None
order allow,deny
allow from all
php_flag magic_quotes_gpc On
php_flag track_vars On
php_flag register_globals On
php_value include_path .
# you can use this environment variable to tell webcalendar to use a
# different conf file than the default listed here
SetEnv WEBCALENDAR_CONFIG_FILE /etc/webcalendar/settings.conf
</DirectoryMatch>
This is bad - the register_globals setting has been defaulted to Off for
years in PHP for a very good reason: it opens up a lot more
possibilities for security issues.
The Debian security team does not support installations with
register_globals on. Hence, this package is unsupportable in its default
configuration. That warrants a "serious" bug to me.
Given that:
* Webcalendar has had two unacknowledged NMU's;
* The maintainer hasn't been active since 2005 in Debian with one
exception an upload in April;
* There's been a significant number of webcalendar security issues
in the past years;
there should either be an active maintainer for this package or it
should not be shipped in etch.
Thijs
signature.asc
Description: This is a digitally signed message part

