[Koha-bugs] [Bug 6648] New: insecure /cgi-bin/koha/ (of staff part) mapping in development mode of installation

bugzilla-daemon at bugs.koha-community.org bugzilla-daemon at bugs.koha-community.org
Fri Jul 29 17:50:54 CEST 2011 

http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6648

             Bug #: 6648
           Summary: insecure /cgi-bin/koha/ (of staff part) mapping in
                    development mode of installation
    Classification: Unclassified
 Change sponsored?: ---
           Product: Koha
           Version: unspecified
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: Architecture, internals, and plumbing
        AssignedTo: gmcharlt at gmail.com
        ReportedBy: semarie-koha at latrappe.fr
         QAContact: koha-bugs at lists.koha-community.org


This issue is between security issue and enhancement... the problem occurs only
in 'dev' installation of koha (but it is common).

When a installation is done in 'dev' mode, the ScriptAlias in apache for the
'intranet' is the git repository in entire.

In result, any file that could be executed may be launched by any user from
http://intranet/cgi-bin/koha/... The file are run without arguments.

The problem is important for scripts like cronjobs, that are generally
resource-consuming and run without arguments.

Others scripts that do more evil think may also exist...


As Makefile.PL know with directories (or files) should be acceded, an htacess
should be generated for here in order to allow only 'INTRANET_CGI_DIR' and
'INTRANET_TMPL_DIR'.

-- 
Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA Contact for the bug.

More information about the Koha-bugs mailing list