OCS Inventory: Server

OCS Inventory 2.0 not used dbconfig - Security issue by default

Bug #954283 reported by FR. Loïc
262
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OCS Inventory: Server
Invalid
Undecided
Unassigned
Debian
New
Undecided
Unassigned
Ubuntu
Opinion
Undecided
Unassigned

Bug Description

Hello and thank you for your work,

Since version 2 of ocsinventory no longer uses dbconfig-common to create database with a chosen password.

A security message is displayed, the handling to make:
http://wiki.ocsinventory-ng.org/index.php/Documentation:Secure

But if dbconfig is used again only the password for the admin account should be changed.
Debian and Ubuntu requires a minimum of security by default and it is not the case with this version of ocsinventory.

If the database is created with dbconfig, one can use the command dpkg --purge to remove database and the package which is no longer the case at present.

Best regards,

Revision history for this message
FR. Loïc (hackurx) wrote :
Fabio Marconi (fabiomarconi)
Changed in ubuntu:
status: New → Invalid
Revision history for this message
Erwan (airoine) wrote :

hello

this is a packaging problem.

best regards

Changed in ocsinventory-server:
status: New → Invalid
Revision history for this message
Pierre Chifflier (pollux-debian) wrote : Re: Fwd: [Bug 954283] Re: OCS Inventory 2.0 not used dbconfig - Security issue by default

On Tue, Mar 13, 2012 at 11:19:24PM +0100, HacKurx wrote:
> Hi,
>
> ding a problem with ocsinventory,
>
> thank you, best regards

[.. snip ..]

>
> Bug description:
>  Hello and thank you for your work,
>
>  Since version 2 of ocsinventory no longer uses dbconfig-common to
>  create database with a chosen password.
>
>  A security message is displayed, the handling to make:
>  http://wiki.ocsinventory-ng.org/index.php/Documentation:Secure
>
>  But if dbconfig is used again only the password for the admin account
> should be changed.
>  Debian and Ubuntu requires a minimum of security by default and it is
> not the case with this version of ocsinventory.
>
>  If the database is created with dbconfig, one can use the command dpkg
>  --purge to remove database and the package which is no longer the case
>  at present.
>

Hi,

Not sure I understand ... You mean the problem is that a *root* user
(which is the only one that can run dpkg commands) is able to remove the
database ? Or that users have to change the defaults passwords ? I don't
see how this would be related to the packaging.

Pierre

FR. Loïc (hackurx)
Changed in ubuntu:
status: Invalid → Opinion
Revision history for this message
FR. Loïc (hackurx) wrote :

Sorry in french:

OCS Inventory 2.X devrait utiliser dbconfig pour créer la base de donné, cela éviterai de devoir supprimer manuellement le fichier install.php et de devoir changer le login mot de passe de la base de donnée après l'installation.

En conclusion, reprendre le fonctionnement de dbconfig de la précende version du paquet afin de sécurisé l'installation par défaut du serveur OCS.

FR. Loïc (hackurx)
security vulnerability: no → yes
Revision history for this message
FR. Loïc (hackurx) wrote :

google --> allinurl:install.php ...

Debian packages can fight against its!

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.