fix WebUI system information leak

Disable unauthenticated access to cgi-bin/credits.cgi. The page leaks the currently installed version of IPFire and the hardware architecture. Both information might make a successful attack much easier. This issue can be reproduced by accessing https://[IPFire-IP]:444/cgi-bin/credits.cgi and accepting a SSL certificate warning (if any). Signed-off-by: Peter Müller <peter.mueller@link38.eu> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2026-04-09 18:45:54 +02:00 · 2017-09-03 16:14:53 +02:00
parent 3dcf1822e6
commit 0effbb3569
2 changed files with 0 additions and 8 deletions
--- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
+++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
@@ -42,10 +42,6 @@
            Satisfy Any
            Allow from All
        </Files>
-        <Files credits.cgi>
-            Satisfy Any
-            Allow from All
-        </Files>
        <Files dial.cgi>
            Require user admin
        </Files>
--- a/config/httpd/vhosts.d/ipfire-interface.conf
+++ b/config/httpd/vhosts.d/ipfire-interface.conf
@@ -34,10 +34,6 @@
            Satisfy Any
            Allow from All
        </Files>
-        <Files credits.cgi>
-            Satisfy Any
-            Allow from All
-        </Files>
        <Files dial.cgi>
            Require user admin
        </Files>