What steps will reproduce the problem?
1.Generate a PDF
or
1.Upload CSV or Keepass-File
3.
What is the expected output? What do you see instead?
In Folder /files/ there is be generated a PDF with cleartext-Passwords and this
file has rights of Webserver and isn't be deleted anymore.
Same for uploaded CSV/Keepass-Files with Cleartexts in /upload/.
If you have enabled "option Indexes" in Apache, you can even more browse to
/files and see all generated PDFs.
That's a real security hole.
What version of the product are you using?
2.1.9
On what operating system? With what Browser (IEx, FFx, ...)
Debian Squeeze
Please provide any additional information below.
Example: your own Demo-Server: http://www.teampass.net/demo/files/
http://www.teampass.net/demo/upload/
So you must remove this massive security issues immediately otherwise this
Software is
* no "Option Indexes" in Apache config (as tip for the admins!)
* /files/ and /upload/ not in webservers DocumentRoot
* deletion of files with cleartext-passwords after temporary generation in
/files/
Original issue reported on code.google.com by samere...@googlemail.com on 14 Sep 2012 at 3:11
Original issue reported on code.google.com by
samere...@googlemail.com
on 14 Sep 2012 at 3:11