From patchwork Mon Sep  4 00:14:53 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= <peter.mueller@link38.eu>
X-Patchwork-Id: 1398
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (unknown [172.28.1.200])
	by web02.ipfire.org (Postfix) with ESMTP id 5E58261AB5
	for <patchwork@ipfire.org>; Sun,  3 Sep 2017 16:15:11 +0200 (CEST)
Received: from mail01.ipfire.org (localhost [IPv6:::1])
	by mail01.ipfire.org (Postfix) with ESMTP id 07C722824;
	Sun,  3 Sep 2017 16:15:09 +0200 (CEST)
Received: from mx.link38.eu (mx.link38.eu [188.68.43.123])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by mail01.ipfire.org (Postfix) with ESMTPS id B9C7DFFC
	for <development@lists.ipfire.org>;
	Sun,  3 Sep 2017 16:15:06 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at mx.link38.eu
Received: from mx-fra.brokers.link38.eu (mx-fra.brokers.link38.eu
	[10.141.75.13])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (Client did not present a certificate)
	by mx.link38.eu (Postfix) with ESMTPS id 653504025D
	for <development@lists.ipfire.org>;
	Sun,  3 Sep 2017 16:14:54 +0200 (CEST)
Received: from [127.0.0.1] (localhost [127.0.0.1])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256
	bits)) (Client did not present a certificate)
	by mx-fra.brokers.link38.eu (Postfix) with ESMTPSA id D80E09F353
	for <development@lists.ipfire.org>;
	Sun,  3 Sep 2017 16:14:54 +0200 (CEST)
Date: Sun, 3 Sep 2017 16:14:53 +0200
From: Peter =?utf-8?q?M=C3=BCller?= <peter.mueller@link38.eu>
To: development@lists.ipfire.org
Subject: [PATCH] fix WebUI system information leak
Message-ID: <20170903161453.1e018d7c.peter.mueller@link38.eu>
Organization: Link38
MIME-Version: 1.0
X-BeenThere: development@lists.ipfire.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
List-Unsubscribe: <http://lists.ipfire.org/mailman/options/development>,
	<mailto:development-request@lists.ipfire.org?subject=unsubscribe>
List-Archive: <http://lists.ipfire.org/pipermail/development/>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Subscribe: <http://lists.ipfire.org/mailman/listinfo/development>,
	<mailto:development-request@lists.ipfire.org?subject=subscribe>
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

Disable unauthenticated access to cgi-bin/credits.cgi. The page
leaks the currently installed version of IPFire and the hardware
architecture.

Both information might make a successful attack much easier.

This issue can be reproduced by accessing https://[IPFire-IP]:444/cgi-bin/credits.cgi
and accepting a SSL certificate warning (if any).

Signed-off-by: Peter Müller <peter.mueller@link38.eu>

diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
index daac75742..4897d56d2 100644
--- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
+++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
@@ -42,10 +42,6 @@
             Satisfy Any
             Allow from All
         </Files>
-        <Files credits.cgi>
-            Satisfy Any
-            Allow from All
-        </Files>
         <Files dial.cgi>
             Require user admin
         </Files>
diff --git a/config/httpd/vhosts.d/ipfire-interface.conf b/config/httpd/vhosts.d/ipfire-interface.conf
index 8783c632b..c7c05972e 100644
--- a/config/httpd/vhosts.d/ipfire-interface.conf
+++ b/config/httpd/vhosts.d/ipfire-interface.conf
@@ -34,10 +34,6 @@
             Satisfy Any
             Allow from All
         </Files>
-        <Files credits.cgi>
-            Satisfy Any
-            Allow from All
-        </Files>
         <Files dial.cgi>
             Require user admin
         </Files>