Debian

OCS Inventory 2.0 not used dbconfig - Security issue by default

Bug #954283 reported by FR. Loïc on 2012-03-13
262
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OCS Inventory: Server
Invalid
Undecided
Unassigned
Debian
New
Undecided
Unassigned
Ubuntu
Opinion
Undecided
Unassigned
Also affects project (?) Also affects distribution/package Nominate for series

Bug Description

Hello and thank you for your work,

Since version 2 of ocsinventory no longer uses dbconfig-common to create database with a chosen password.

A security message is displayed, the handling to make:
http://wiki.ocsinventory-ng.org/index.php/Documentation:Secure

But if dbconfig is used again only the password for the admin account should be changed.
Debian and Ubuntu requires a minimum of security by default and it is not the case with this version of ocsinventory.

If the database is created with dbconfig, one can use the command dpkg --purge to remove database and the package which is no longer the case at present.

Best regards,

FR. Loïc (hackurx) wrote :
Fabio Marconi (fabiomarconi) on 2012-03-13
Changed in ubuntu:
status: New → Invalid
Erwan (airoine) wrote :

hello

this is a packaging problem.

best regards

Changed in ocsinventory-server:
status: New → Invalid
Pierre Chifflier (pollux-debian) wrote : Re: Fwd: [Bug 954283] Re: OCS Inventory 2.0 not used dbconfig - Security issue by default

On Tue, Mar 13, 2012 at 11:19:24PM +0100, HacKurx wrote:
> Hi,
>
> ding a problem with ocsinventory,
>
> thank you, best regards

[.. snip ..]

>
> Bug description:
>  Hello and thank you for your work,
>
>  Since version 2 of ocsinventory no longer uses dbconfig-common to
>  create database with a chosen password.
>
>  A security message is displayed, the handling to make:
>  http://wiki.ocsinventory-ng.org/index.php/Documentation:Secure
>
>  But if dbconfig is used again only the password for the admin account
> should be changed.
>  Debian and Ubuntu requires a minimum of security by default and it is
> not the case with this version of ocsinventory.
>
>  If the database is created with dbconfig, one can use the command dpkg
>  --purge to remove database and the package which is no longer the case
>  at present.
>

Hi,

Not sure I understand ... You mean the problem is that a *root* user
(which is the only one that can run dpkg commands) is able to remove the
database ? Or that users have to change the defaults passwords ? I don't
see how this would be related to the packaging.

Pierre

FR. Loïc (hackurx) on 2012-04-25
Changed in ubuntu:
status: Invalid → Opinion
FR. Loïc (hackurx) wrote :

Sorry in french:

OCS Inventory 2.X devrait utiliser dbconfig pour créer la base de donné, cela éviterai de devoir supprimer manuellement le fichier install.php et de devoir changer le login mot de passe de la base de donnée après l'installation.

En conclusion, reprendre le fonctionnement de dbconfig de la précende version du paquet afin de sécurisé l'installation par défaut du serveur OCS.

FR. Loïc (hackurx) on 2012-05-09
security vulnerability: no → yes
FR. Loïc (hackurx) wrote :

google --> allinurl:install.php ...

Debian packages can fight against its!

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.
Subscribing...

Other bug subscribers