fix WebUI system information leak
Commit Message
Disable unauthenticated access to cgi-bin/credits.cgi. The page
leaks the currently installed version of IPFire and the hardware
architecture.
Both information might make a successful attack much easier.
This issue can be reproduced by accessing https://[IPFire-IP]:444/cgi-bin/credits.cgi
and accepting a SSL certificate warning (if any).
Signed-off-by: Peter Müller <peter.mueller@link38.eu>
---
Comments
Merged.
-Michael
On Sun, 2017-09-03 at 16:14 +0200, Peter Müller wrote:
> Disable unauthenticated access to cgi-bin/credits.cgi. The page
> leaks the currently installed version of IPFire and the hardware
> architecture.
>
> Both information might make a successful attack much easier.
>
> This issue can be reproduced by accessing https://[IPFire-IP]:444/cgi-bin/credits.cgi
> and accepting a SSL certificate warning (if any).
>
> Signed-off-by: Peter Müller <peter.mueller@link38.eu>
> ---
> diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> index daac75742..4897d56d2 100644
> --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> @@ -42,10 +42,6 @@
> Satisfy Any
> Allow from All
> </Files>
> - <Files credits.cgi>
> - Satisfy Any
> - Allow from All
> - </Files>
> <Files dial.cgi>
> Require user admin
> </Files>
> diff --git a/config/httpd/vhosts.d/ipfire-interface.conf b/config/httpd/vhosts.d/ipfire-interface.conf
> index 8783c632b..c7c05972e 100644
> --- a/config/httpd/vhosts.d/ipfire-interface.conf
> +++ b/config/httpd/vhosts.d/ipfire-interface.conf
> @@ -34,10 +34,6 @@
> Satisfy Any
> Allow from All
> </Files>
> - <Files credits.cgi>
> - Satisfy Any
> - Allow from All
> - </Files>
> <Files dial.cgi>
> Require user admin
> </Files>
@@ -42,10 +42,6 @@
Satisfy Any
Allow from All
</Files>
- <Files credits.cgi>
- Satisfy Any
- Allow from All
- </Files>
<Files dial.cgi>
Require user admin
</Files>
@@ -34,10 +34,6 @@
Satisfy Any
Allow from All
</Files>
- <Files credits.cgi>
- Satisfy Any
- Allow from All
- </Files>
<Files dial.cgi>
Require user admin
</Files>