webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-28 03:33:25 +02:00
Code Issues Packages Projects Releases Wiki Activity

fix WebUI system information leak

Browse Source 
Disable unauthenticated access to cgi-bin/credits.cgi. The page
leaks the currently installed version of IPFire and the hardware
architecture.

Both information might make a successful attack much easier.

This issue can be reproduced by accessing https://[IPFire-IP]:444/cgi-bin/credits.cgi
and accepting a SSL certificate warning (if any).

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This commit is contained in:
Peter Müller
2017-09-03 16:14:53 +02:00
committed by Michael Tremer
parent 3dcf1822e6
commit 0effbb3569
2 changed files with 0 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
config/httpd/vhosts.d/ipfire-interface-ssl.conf
View File

@@ -42,10 +42,6 @@
Satisfy Any Satisfy Any
Allow from All Allow from All
</Files> </Files>
<Files credits.cgi>
Satisfy Any
Allow from All
</Files>
<Files dial.cgi> <Files dial.cgi>
Require user admin Require user admin
</Files> </Files>

4
config/httpd/vhosts.d/ipfire-interface.conf
View File

@@ -34,10 +34,6 @@
Satisfy Any Satisfy Any
Allow from All Allow from All
</Files> </Files>
<Files credits.cgi>
Satisfy Any
Allow from All
</Files>
<Files dial.cgi> <Files dial.cgi>
Require user admin Require user admin
</Files> </Files>