Freenet6 permissions are world-readable
| freenet6-world-readable (17544) |  Medium Risk |
Description:
Freenet6 could allow a remote attacker to obtain username and password information. The tspc.conf configuration file in Freenet6 is world-readable, which could allow a remote attacker to access this file and obtain username and password information that is used to connect to the IPv6 tunnelbroker Freenet6.net.
Consequences:
Obtain Information
Remedy:
For Debian GNU/Linux 3.0 (woody):
Upgrade to the latest Freenet6 package, as listed below. Refer to DSA-555-1 for more information. See References.
Debian GNU/Linux 3.0 (woody): 0.9.6-1woody2 or later
References:
- Freenet6 Web page: What is Freenet6?.
- BID-11280: Freenet6 Client Default Installation Configuration File Permission Vulnerability
- CVE-2004-0563: The tspc.conf configuration file in freenet6 before 0.9.6 and before 1.0 on Debian Linux has world readable permissions, which could allow local users to gain sensitive information, such as a username and password.
- DSA-555: freenet6 -- wrong file permissions
- SA12705: Debian freenet6 Insecure Configuration File Permissions
- SECTRACK ID: 1011460: Freenet6 on Debian Linux Discloses Tunnel Broker Password to Local Users
Platforms Affected:
- Debian Debian Linux 3.0
- Hexago Freenet6
Reported:
Sep 30, 2004
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net