Pages: 1
In a test install, netinstall, when I got around to looking what it did with the database config info I entered, I found this:
dh_akhcfg@william-floyd:~/gal02.dd-b.net/piwigo/local/config$ ls -l total 8 -rw-rw-rw- 1 dh_akhcfg pg75234 319 Oct 7 13:48 database.inc.php -rwxr-xr-x 1 dh_akhcfg pg75234 610 Oct 7 13:36 index.php
database.inc.php, which contains the host, user, password, and database names, is world write!!!! (not just read).
Even read would be a huge security hole (it gives everybody who can read world-readable files on the server full access to the database).
Changing the protection of database.inc.php to 600 does not immediately seem to have broken anything, but I haven't done more than the most minimal testing, enough to establish it can still access the database.
Piwigo 2.10.2
Operating system: Linux
PHP: 7.2.30 (Show info) [2020-10-07 15:17:11]
MySQL: 5.7.29-log [2020-10-07 15:17:11]
Graphics Library: ImageMagick 6.9.7-4
Offline
I've reported this as an issue on GitHub, it's #1227
Offline
Pages: 1