lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <407AE05E.9070405@citadel.org>
Date: Mon, 12 Apr 2004 14:30:54 -0400
From: error@...adel.org (IO ERROR)
To: BUGTRAQ <bugtraq@...urityfocus.com>
Subject: Citadel/UX 6.20 fixes local permissions vulnerability


Citadel/UX Security Advisory 2004-01

1. Topic:

Updated Citadel/UX package fixes permissions problem which could allow 
local users direct access to the Citadel/UX database.

2. Relevant releases/architectures:

Citadel/UX 5.00 - 6.14, all architectures

3. Problem description:

Citadel/UX is a high performance, multithreaded messaging server which 
provides multiple access methods including Web, POP3, IMAP, SMTP and 
native Citadel protocols.  It provides email, public forums, mailing 
lists, instant messaging, multiple/virtual domain support, 
calendaring/scheduling, single-instance message store, and many other 
features.

In older Citadel/UX releases, the "data" directory, where Citadel stores 
its database files, had permissions drwxr-xr-x (0755) set, and the data 
files were -rw-r--r-- (0644).  This allowed any local user to view the 
database directly, bypassing access controls to read messages which the 
user is not authorized to read or to extract user data such as 
addresses, phone numbers and passwords.

This vulnerability affects only systems where an attacker is able to 
gain a local shell on the affected machine.

This vulnerability primarily affects users whose original Citadel 
installations were version 5.xx or older software. The permissions have 
been correct for all new 6.xx installations; however, installations 
which have been upgraded from 5.xx to 6.xx may be vulnerable.

4. Workaround:

# chmod 700 $CITADEL/data

where $CITADEL is the directory in which Citadel/UX is installed 
(typically /usr/local/citadel).

5. Solution:

Install Citadel/UX 6.20p1 from the source code distribution.

Citadel/UX 6.20 ensures at startup that the data directory is not world 
readable or executable and that database files are only readable by Citadel.

Sites which currently use Citadel/UX 5.90 or prior should read the 
installation directions in docs/citadel.html carefully for significant 
changes.  Upgrading from 5.90 or prior may require a maintenance window 
of 30-60 minutes so that Citadel can upgrade the data file formats.  
Upgrading from 5.91 or later requires only shutting down the old server 
and restarting the new server.

Download Mirrors:

US (fast): http://my.citadel.org/download/citadel-ux-6.20p1.tar.gz
US (slow): 
http://uncensored.citadel.org/pub/citadel/citadel-ux-6.20p1.tar.gz
ibiblio: Available on ibiblio.org within a few days.

md5sum: 98c0124aeaf6e3e0003edf91659fade2 citadel-ux-6.20p1.tar.gz
sha1sum: def7650e2af43a7adc6f2621887ae1b62b1b57d0 citadel-ux-6.20p1.tar.gz

6. Contacts:

Citadel/UX Development Team: <devel@...adel.org>
Citadel/UX Home Page: http://www.citadel.org/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ