View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
12018 | Bug reports | Security | public | 2016-12-21 22:55 | 2016-12-22 15:34 |
Reporter | hgreenwald | Assigned To | DenisChenu | ||
Priority | none | Severity | trivial | ||
Status | closed | Resolution | no change required | ||
Product Version | 2.55.x | ||||
Summary | 12018: Cache files are world-writable | ||||
Description | LimeSurvey creates temporary cache files in limesurvey/tmp/runtime/cache that are world writable, which creates an unnecessary security risk. The file permissions are specified in the following scripts: | ||||
Tags | No tags attached. | ||||
Bug heat | 260 | ||||
Complete LimeSurvey version number (& build) | 2.57.1 (build 161205) | ||||
I will donate to the project if issue is resolved | No | ||||
Browser | |||||
Database type & version | Postgres 9.2.18 | ||||
Server OS (if known) | RHEL 7 | ||||
Webserver software & version (if known) | Apache 2.4.6 | ||||
PHP Version | PHP 5.4.16 | ||||
related to | 12011 | closed | DenisChenu | Feature requests | Need an updatable runtime path |
Work readable / Server user writable assets are not Cache , then no issue with limesurvey/framework/web/CAssetManager.php |
|
I don't know what happens with CAssetManager (or GiiModule), but I started looking for all instances of chmod() that could produce any world-writable files, not just cache files. |
|
Then : your bug must be posted to Yii https://github.com/yiisoft/yii/issues not to LimeSurvey. And sincerely : files is not writable if directory is not trasversable : you can set 640 on tmp if you want. Not a bug |
|
http://www.yiiframework.com/doc/api/1.1/CAssetManager#newFileMode-detail The updatable in config |
|
Issue is with world-writable files in limesurvey/tmp. Is there any reason that the script should make these world-writable by default? It seems like an unnecessary security risk. |
|
Closed : world writable is done by Yii by default. You can use anything else in config.php : your server : your rules. |
|
Date Modified | Username | Field | Change |
---|---|---|---|
2016-12-21 22:55 | hgreenwald | New Issue | |
2016-12-22 02:06 | DenisChenu | Relationship added | related to 12011 |
2016-12-22 02:07 | DenisChenu | Note Added: 42589 | |
2016-12-22 02:09 | DenisChenu | Note Edited: 42589 | |
2016-12-22 02:35 | hgreenwald | Note Added: 42590 | |
2016-12-22 11:02 | DenisChenu | Note Added: 42591 | |
2016-12-22 11:28 | DenisChenu | Assigned To | => DenisChenu |
2016-12-22 11:28 | DenisChenu | Status | new => closed |
2016-12-22 11:28 | DenisChenu | Resolution | open => no change required |
2016-12-22 11:28 | DenisChenu | Note Added: 42592 | |
2016-12-22 15:28 | hgreenwald | Status | closed => feedback |
2016-12-22 15:28 | hgreenwald | Resolution | no change required => reopened |
2016-12-22 15:28 | hgreenwald | Note Added: 42594 | |
2016-12-22 15:34 | DenisChenu | Note Added: 42595 | |
2016-12-22 15:34 | DenisChenu | Status | feedback => closed |
2016-12-22 15:34 | DenisChenu | Resolution | reopened => no change required |
2024-04-25 16:29 | guest | Bug heat | 254 => 260 |