Skip to content

CVE-2014-3928: Unsafe configuration file path/ACL #4

Closed
@lucab

Description

@lucab

I've already tried to report security issues privately via mail (message-id 20140520102828.30d346b6@xantho) on 20/05/2014 but didn't get any reply, thus I'm filing a public report.

Config filename is hardcoded at lg.cgi:299. As such, IPs and credentials are stored in a plain file named lg.conf under the same web directory, and the software README doesn't suggest any additional protection.

In order to avoid exposing credentials through the web, it would be better to move this file outside of the web root, or suggesting proper ACL for webserver configuration.

cc @emdel for credits

Metadata

Metadata

Assignees

No one assigned

    Labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions