diff mbox series

fix WebUI system information leak

Message ID	20170903161453.1e018d7c.peter.mueller@link38.eu
State	Accepted
Commit	0effbb3569624f42550310689aaf94d726cd9d0e
Headers	Date: Sun, 3 Sep 2017 16:14:53 +0200 From: Peter =?utf-8?q?M=C3=BCller?= <peter.mueller@link38.eu> To: development@lists.ipfire.org Subject: [PATCH] fix WebUI system information leak Message-ID: <20170903161453.1e018d7c.peter.mueller@link38.eu> Organization: Link38 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Precedence: list Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org>
Series	fix WebUI system information leak \| fix WebUI system information leak

Commit Message

Peter Müller Sept. 4, 2017, 12:14 a.m. UTC

  Disable unauthenticated access to cgi-bin/credits.cgi. The page
leaks the currently installed version of IPFire and the hardware
architecture.

Both information might make a successful attack much easier.

This issue can be reproduced by accessing https://[IPFire-IP]:444/cgi-bin/credits.cgi
and accepting a SSL certificate warning (if any).

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
---

Comments

Michael Tremer Sept. 4, 2017, 9:35 p.m. UTC | #1

Merged.

-Michael

On Sun, 2017-09-03 at 16:14 +0200, Peter Müller wrote:
> Disable unauthenticated access to cgi-bin/credits.cgi. The page
> leaks the currently installed version of IPFire and the hardware
> architecture.
> 
> Both information might make a successful attack much easier.
> 
> This issue can be reproduced by accessing https://[IPFire-IP]:444/cgi-bin/credits.cgi
> and accepting a SSL certificate warning (if any).
> 
> Signed-off-by: Peter Müller <peter.mueller@link38.eu>
> ---
> diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> index daac75742..4897d56d2 100644
> --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> @@ -42,10 +42,6 @@
>              Satisfy Any
>              Allow from All
>          </Files>
> -        <Files credits.cgi>
> -            Satisfy Any
> -            Allow from All
> -        </Files>
>          <Files dial.cgi>
>              Require user admin
>          </Files>
> diff --git a/config/httpd/vhosts.d/ipfire-interface.conf b/config/httpd/vhosts.d/ipfire-interface.conf
> index 8783c632b..c7c05972e 100644
> --- a/config/httpd/vhosts.d/ipfire-interface.conf
> +++ b/config/httpd/vhosts.d/ipfire-interface.conf
> @@ -34,10 +34,6 @@
>              Satisfy Any
>              Allow from All
>          </Files>
> -        <Files credits.cgi>
> -            Satisfy Any
> -            Allow from All
> -        </Files>
>          <Files dial.cgi>
>              Require user admin
>          </Files>

diff mbox series

Patch

diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
index daac75742..4897d56d2 100644
--- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
+++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
@@ -42,10 +42,6 @@ 
             Satisfy Any
             Allow from All
         </Files>
-        <Files credits.cgi>
-            Satisfy Any
-            Allow from All
-        </Files>
         <Files dial.cgi>
             Require user admin
         </Files>
diff --git a/config/httpd/vhosts.d/ipfire-interface.conf b/config/httpd/vhosts.d/ipfire-interface.conf
index 8783c632b..c7c05972e 100644
--- a/config/httpd/vhosts.d/ipfire-interface.conf
+++ b/config/httpd/vhosts.d/ipfire-interface.conf
@@ -34,10 +34,6 @@ 
             Satisfy Any
             Allow from All
         </Files>
-        <Files credits.cgi>
-            Satisfy Any
-            Allow from All
-        </Files>
         <Files dial.cgi>
             Require user admin
         </Files>