View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0006825 | CentOS-6 | piranha | public | 2013-12-11 12:40 | 2014-04-21 14:57 |
Reporter | IDMS-andreas.schiermeier | ||||
Priority | normal | Severity | minor | Reproducibility | always |
Status | resolved | Resolution | fixed | ||
Product Version | 6.4 | ||||
Target Version | Fixed in Version | 6.5 | |||
Summary | 0006825: Authentication bypass in Webinterface | ||||
Description | Webserver configuration of Pirhana only limits GET-Requests. It's possible to bypass authentication to view and modify the configuration. Please remove the directives <Limit …> and </Limit> in /etc/sysconfig/ha/conf/httpd.conf | ||||
Steps To Reproduce | wget -qO- --post-data='' http://pirhanahost:3636/secure/control.php | ||||
Tags | No tags attached. | ||||
pirhana-httpdconf-limit.patch (389 bytes)
--- etc/sysconfig/ha/conf/httpd.conf.orig 2013-12-11 13:33:10.992688518 +0100 +++ etc/sysconfig/ha/conf/httpd.conf 2013-12-11 13:33:29.836687604 +0100 @@ -109,9 +109,7 @@ AuthGroupFile /dev/null AuthName "access to the piranha web GUI" AuthType Basic - <Limit GET> - require user piranha - </Limit> + require user piranha </Directory> HostnameLookups On |
|
I was able to reproduce this issue. Because it's not specific to CentOS, I filed a bug in upstream bugzilla (with tracking link to this issue, see 'External Trackers' section). https://bugzilla.redhat.com/show_bug.cgi?id=1043040 |
|
Fixed with errata https://rhn.redhat.com/errata/RHSA-2014-0175.html | |
Date Modified | Username | Field | Change |
---|---|---|---|
2013-12-11 12:40 | IDMS-andreas.schiermeier | New Issue | |
2013-12-11 12:40 | IDMS-andreas.schiermeier | File Added: pirhana-httpdconf-limit.patch | |
2013-12-13 20:03 | athmane | Note Added: 0018655 | |
2013-12-13 20:03 | athmane | Status | new => confirmed |
2014-04-21 14:57 | tigalch | Note Added: 0019651 | |
2014-04-21 14:57 | tigalch | Status | confirmed => resolved |
2014-04-21 14:57 | tigalch | Fixed in Version | => 6.5 |
2014-04-21 14:57 | tigalch | Resolution | open => fixed |