[Koha-bugs] [Bug 6648] New: insecure /cgi-bin/koha/ (of staff part) mapping in development mode of installation
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Fri Jul 29 17:50:54 CEST 2011
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6648
Bug #: 6648
Summary: insecure /cgi-bin/koha/ (of staff part) mapping in
development mode of installation
Classification: Unclassified
Change sponsored?: ---
Product: Koha
Version: unspecified
Platform: All
OS/Version: All
Status: NEW
Severity: enhancement
Priority: P5
Component: Architecture, internals, and plumbing
AssignedTo: gmcharlt at gmail.com
ReportedBy: semarie-koha at latrappe.fr
QAContact: koha-bugs at lists.koha-community.org
This issue is between security issue and enhancement... the problem occurs only
in 'dev' installation of koha (but it is common).
When a installation is done in 'dev' mode, the ScriptAlias in apache for the
'intranet' is the git repository in entire.
In result, any file that could be executed may be launched by any user from
http://intranet/cgi-bin/koha/... The file are run without arguments.
The problem is important for scripts like cronjobs, that are generally
resource-consuming and run without arguments.
Others scripts that do more evil think may also exist...
As Makefile.PL know with directories (or files) should be acceded, an htacess
should be generated for here in order to allow only 'INTRANET_CGI_DIR' and
'INTRANET_TMPL_DIR'.
--
Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA Contact for the bug.
More information about the Koha-bugs
mailing list