Dependency Graph

View IssueRelationship GraphVerticalShow Summary
Dependency Graph
related to related to child of child of duplicate of duplicate of

View Issue Details

Jump to NotesJump to History
This bug affects 2 person(s).
 260
IDProjectCategoryView StatusDate SubmittedLast Update
12018Bug reportsSecuritypublic2016-12-21 22:552016-12-22 15:34
Reporterhgreenwald Assigned ToDenisChenu  
PrioritynoneSeveritytrivial 
Status closedResolutionno change required 
Product Version2.55.x 
Summary12018: Cache files are world-writable
Description

LimeSurvey creates temporary cache files in limesurvey/tmp/runtime/cache that are world writable, which creates an unnecessary security risk. The file permissions are specified in the following scripts:
• limesurvey/framework/caching/CFileCache.php
• limesurvey/framework/gii/GiiModule.php
• limesurvey/framework/web/CAssetManager.php
Please change chmod() function calls in these files from 777 to 755 and 666 to 644.

TagsNo tags attached.
Bug heat260
Complete LimeSurvey version number (& build)2.57.1 (build 161205)
I will donate to the project if issue is resolvedNo
Browser
Database type & versionPostgres 9.2.18
Server OS (if known)RHEL 7
Webserver software & version (if known)Apache 2.4.6
PHP VersionPHP 5.4.16

Relationships

Relationship GraphDependency Graph
related to 12011 closedDenisChenu Feature requests Need an updatable runtime path 

Activities

DenisChenu

DenisChenu

2016-12-22 02:07

developer   ~42589

Last edited: 2016-12-22 02:09

Work readable / Server user writable

assets are not Cache , then no issue with limesurvey/framework/web/CAssetManager.php
hgreenwald

hgreenwald

2016-12-22 02:35

reporter   ~42590

I don't know what happens with CAssetManager (or GiiModule), but I started looking for all instances of chmod() that could produce any world-writable files, not just cache files.
DenisChenu

DenisChenu

2016-12-22 11:02

developer   ~42591

Then : your bug must be posted to Yii https://github.com/yiisoft/yii/issues not to LimeSurvey.

And sincerely : files is not writable if directory is not trasversable : you can set 640 on tmp if you want.

Not a bug
DenisChenu

DenisChenu

2016-12-22 11:28

developer   ~42592

http://www.yiiframework.com/doc/api/1.1/CAssetManager#newFileMode-detail

The updatable in config

hgreenwald

hgreenwald

2016-12-22 15:28

reporter   ~42594

Issue is with world-writable files in limesurvey/tmp. Is there any reason that the script should make these world-writable by default? It seems like an unnecessary security risk.
DenisChenu

DenisChenu

2016-12-22 15:34

developer   ~42595

Closed : world writable is done by Yii by default.

You can use anything else in config.php : your server : your rules.

Issue History

Date Modified Username Field Change
2016-12-21 22:55 hgreenwald New Issue
2016-12-22 02:06 DenisChenu Relationship added related to 12011
2016-12-22 02:07 DenisChenu Note Added: 42589
2016-12-22 02:09 DenisChenu Note Edited: 42589
2016-12-22 02:35 hgreenwald Note Added: 42590
2016-12-22 11:02 DenisChenu Note Added: 42591
2016-12-22 11:28 DenisChenu Assigned To => DenisChenu
2016-12-22 11:28 DenisChenu Status new => closed
2016-12-22 11:28 DenisChenu Resolution open => no change required
2016-12-22 11:28 DenisChenu Note Added: 42592
2016-12-22 15:28 hgreenwald Status closed => feedback
2016-12-22 15:28 hgreenwald Resolution no change required => reopened
2016-12-22 15:28 hgreenwald Note Added: 42594
2016-12-22 15:34 DenisChenu Note Added: 42595
2016-12-22 15:34 DenisChenu Status feedback => closed
2016-12-22 15:34 DenisChenu Resolution reopened => no change required
2024-04-25 16:29 guest Bug heat 254 => 260