[Bug 6648] New: insecure /cgi-bin/koha/ (of staff part) mapping in development mode of installation
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6648 Bug #: 6648 Summary: insecure /cgi-bin/koha/ (of staff part) mapping in development mode of installation Classification: Unclassified Change sponsored?: --- Product: Koha Version: unspecified Platform: All OS/Version: All Status: NEW Severity: enhancement Priority: P5 Component: Architecture, internals, and plumbing AssignedTo: gmcharlt@gmail.com ReportedBy: semarie-koha@latrappe.fr QAContact: koha-bugs@lists.koha-community.org This issue is between security issue and enhancement... the problem occurs only in 'dev' installation of koha (but it is common). When a installation is done in 'dev' mode, the ScriptAlias in apache for the 'intranet' is the git repository in entire. In result, any file that could be executed may be launched by any user from http://intranet/cgi-bin/koha/... The file are run without arguments. The problem is important for scripts like cronjobs, that are generally resource-consuming and run without arguments. Others scripts that do more evil think may also exist... As Makefile.PL know with directories (or files) should be acceded, an htacess should be generated for here in order to allow only 'INTRANET_CGI_DIR' and 'INTRANET_TMPL_DIR'. -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA Contact for the bug.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6648 Chris Cormack <chris@bigballofwax.co.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED CC| |chris@bigballofwax.co.nz Resolution|--- |DUPLICATE --- Comment #1 from Chris Cormack <chris@bigballofwax.co.nz> --- *** This bug has been marked as a duplicate of bug 9949 *** -- You are receiving this mail because: You are the QA Contact for the bug. You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org