[Secure-testing-team] Bug#780575: exim4-config: information disclosure issue

Daniel Reichelt debian at nachtgeist.net
Mon Mar 16 08:10:02 UTC 2015 

Package: exim4-config
Version: 4.80-7+deb7u1
Severity: grave
Tags: security
Justification: user security hole

Hi folks,


suppose you have set up an exim4 which provides virtual mailing, managing
domains/accounts in a DB, say mysql.

Just adding mysql queries and DB-*authentication data* to the exim4 templates
(both single file or split files configuration) will result in information
disclosure of all virtual mail users/passwords to users which have either shell
access, or can run scripts on the webserver (cgi, php, $whatever) or have any
other means to access these paths:

* /etc/exim4/exim4.conf.template
* /etc/conf.d/
* /var/lib/exim4/config.autogenerated



I strongly suggest to change modes of

* /etc/exim4
* /var/lib/exim4

to o-rwx.



Thanks
Daniel



-- Package-specific info:
Exim version 4.80 #2 built 24-Jul-2014 03:28:02
Copyright (c) University of Cambridge, 1995 - 2012
(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2012
Berkeley DB: Berkeley DB 5.1.29: (October 25, 2011)
Support for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc GnuTLS move_frozen_messages Content_Scanning DKIM Old_Demime
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz dnsdb dsearch ldap ldapdn ldapm mysql nis nis0 passwd pgsql sqlite
Authenticators: cram_md5 cyrus_sasl dovecot plaintext spa
Routers: accept dnslookup ipliteral iplookup manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp
Fixed never_users: 0
Size of off_t: 8
Configuration file is /var/lib/exim4/config.autogenerated

-- System Information:
Debian Release: 7.8
  APT prefers stable
  APT policy: (990, 'stable'), (500, 'stable-updates'), (500, 'proposed-updates')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages exim4-config depends on:
ii  adduser                3.113+nmu3
ii  debconf [debconf-2.0]  1.5.49

exim4-config recommends no packages.

exim4-config suggests no packages.

-- debconf information excluded

More information about the Secure-testing-team mailing list