[34511] in bugtraq
Citadel/UX 6.20 fixes local permissions vulnerability
daemon@ATHENA.MIT.EDU (IO ERROR)
Mon Apr 12 18:04:12 2004
To: BUGTRAQ <bugtraq@securityfocus.com>
Date: Mon, 12 Apr 2004 14:30:54 -0400
Message-ID: <407AE05E.9070405@citadel.org>
From: error@citadel.org (IO ERROR)
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Citadel/UX Security Advisory 2004-01
1. Topic:
Updated Citadel/UX package fixes permissions problem which could allow
local users direct access to the Citadel/UX database.
2. Relevant releases/architectures:
Citadel/UX 5.00 - 6.14, all architectures
3. Problem description:
Citadel/UX is a high performance, multithreaded messaging server which
provides multiple access methods including Web, POP3, IMAP, SMTP and
native Citadel protocols. It provides email, public forums, mailing
lists, instant messaging, multiple/virtual domain support,
calendaring/scheduling, single-instance message store, and many other
features.
In older Citadel/UX releases, the "data" directory, where Citadel stores
its database files, had permissions drwxr-xr-x (0755) set, and the data
files were -rw-r--r-- (0644). This allowed any local user to view the
database directly, bypassing access controls to read messages which the
user is not authorized to read or to extract user data such as
addresses, phone numbers and passwords.
This vulnerability affects only systems where an attacker is able to
gain a local shell on the affected machine.
This vulnerability primarily affects users whose original Citadel
installations were version 5.xx or older software. The permissions have
been correct for all new 6.xx installations; however, installations
which have been upgraded from 5.xx to 6.xx may be vulnerable.
4. Workaround:
# chmod 700 $CITADEL/data
where $CITADEL is the directory in which Citadel/UX is installed
(typically /usr/local/citadel).
5. Solution:
Install Citadel/UX 6.20p1 from the source code distribution.
Citadel/UX 6.20 ensures at startup that the data directory is not world
readable or executable and that database files are only readable by Citadel.
Sites which currently use Citadel/UX 5.90 or prior should read the
installation directions in docs/citadel.html carefully for significant
changes. Upgrading from 5.90 or prior may require a maintenance window
of 30-60 minutes so that Citadel can upgrade the data file formats.
Upgrading from 5.91 or later requires only shutting down the old server
and restarting the new server.
Download Mirrors:
US (fast): http://my.citadel.org/download/citadel-ux-6.20p1.tar.gz
US (slow):
http://uncensored.citadel.org/pub/citadel/citadel-ux-6.20p1.tar.gz
ibiblio: Available on ibiblio.org within a few days.
md5sum: 98c0124aeaf6e3e0003edf91659fade2 citadel-ux-6.20p1.tar.gz
sha1sum: def7650e2af43a7adc6f2621887ae1b62b1b57d0 citadel-ux-6.20p1.tar.gz
6. Contacts:
Citadel/UX Development Team: <devel@citadel.org>
Citadel/UX Home Page: http://www.citadel.org/
