[Bug 196026] New: mail/roundcube: Port does not install .htaccess files [security problem]

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Tue Dec 16 12:41:02 UTC 2014 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=196026

            Bug ID: 196026
           Summary: mail/roundcube: Port does not install .htaccess files
                    [security problem]
           Product: Ports Tree
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: Individual Port(s)
          Assignee: ale at FreeBSD.org
          Reporter: lukasz at wasikowski.net
             Flags: maintainer-feedback?(ale at FreeBSD.org)
          Assignee: ale at FreeBSD.org

FreeBSD's roundcube port is not installing .htaccess files, which by default
deny access to config, temp, logs dirs and more. So, by default, you can
remotely read roundcube logs, composer configs, and so on.

How to repeat:

Fresh system with no packages installed.

root at testlab:~ # uname -a
FreeBSD testlab 10.1-RELEASE FreeBSD 10.1-RELEASE #0 r274401: Tue Nov 11
21:02:49 UTC 2014     root at releng1.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC
 amd64

root at testlab:~ # pkg install roundcube
[...]

[19/19] Extracting roundcube-1.0.3,1: 100%
Message for roundcube-1.0.3,1:
 ---------------------------------------------------------------------
FIRST INSTALLATION

If this is a first installation of RoundCube you have to create
a new database and a db user. Read INSTALL for detailed instructions.

UPGRADING

If you already had a previous version of RoundCube installed,
you should check your config files and DB schema are up-to-date.
Read UPGRADING for detailed instructions.
---------------------------------------------------------------------

root at testlab:~ # find /usr/local/www/roundcube/ -type f -name .htaccess
/usr/local/www/roundcube/plugins/enigma/home/.htaccess


While it should look like this:

root at testlab:~ # fetch -o /tmp/roundcubemail-1.0.3.tar.gz
http://sourceforge.net/projects/roundcubemail/files/roundcubemail/1.0.3/roundcubemail-1.0.3.tar.gz
/tmp/roundcubemail-1.0.3.tar.gz               100% of 3890 kB 1131 kBps 00m03s

root at testlab:~ # tar zxf /tmp/roundcubemail-1.0.3.tar.gz -C /tmp/

root at testlab:~ # find /tmp/roundcubemail-1.0.3/ -type f -name .htaccess
/tmp/roundcubemail-1.0.3/plugins/enigma/home/.htaccess
/tmp/roundcubemail-1.0.3/.htaccess

--- Comment #1 from Bugzilla Automation <bugzilla at FreeBSD.org> ---
Auto-assigned to maintainer ale at FreeBSD.org

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-ports-bugs mailing list