CentOS Bug Tracker
CentOS Bug Tracker
My View | View Issues | Roadmap
  

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0006825CentOS-6piranhapublic2013-12-11 12:402014-04-21 14:57
ReporterIDMS-andreas.schiermeier 
PrioritynormalSeverityminorReproducibilityalways
StatusresolvedResolutionfixed 
PlatformOSOS Version
Product Version6.4 
Target VersionFixed in Version6.5 
Summary0006825: Authentication bypass in Webinterface
DescriptionWebserver configuration of Pirhana only limits GET-Requests.
It's possible to bypass authentication to view and modify the configuration.

Please remove the directives <Limit …> and </Limit> in /etc/sysconfig/ha/conf/httpd.conf
Steps To Reproducewget -qO- --post-data='' http://pirhanahost:3636/secure/control.php [^]
TagsNo tags attached.
Attached Filespatch file icon pirhana-httpdconf-limit.patch [^] (389 bytes) 2013-12-11 12:40 [Show Content]

- Relationships

-  Notes
(0018655)
athmane (developer)
2013-12-13 20:03

 I was able to reproduce this issue.

Because it's not specific to CentOS, I filed a bug in upstream bugzilla (with tracking link to this issue, see 'External Trackers' section).

https://bugzilla.redhat.com/show_bug.cgi?id=1043040 [^]
(0019651)
tigalch (developer)
2014-04-21 14:57

 Fixed with errata https://rhn.redhat.com/errata/RHSA-2014-0175.html [^]

- Issue History
Date Modified Username Field Change
2013-12-11 12:40 IDMS-andreas.schiermeier New Issue
2013-12-11 12:40 IDMS-andreas.schiermeier File Added: pirhana-httpdconf-limit.patch
2013-12-13 20:03 athmane Note Added: 0018655
2013-12-13 20:03 athmane Status new => confirmed
2014-04-21 14:57 tigalch Note Added: 0019651
2014-04-21 14:57 tigalch Status confirmed => resolved
2014-04-21 14:57 tigalch Fixed in Version => 6.5
2014-04-21 14:57 tigalch Resolution open => fixed

Copyright © 2000 - 2016 MantisBT Team
Powered by Mantis Bugtracker