From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] fix WebUI system information leak
Date: Mon, 04 Sep 2017 12:35:00 +0100
Message-ID: <1504524900.5011.3.camel@ipfire.org>
In-Reply-To: <20170903161453.1e018d7c.peter.mueller@link38.eu>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1068376091108633534=="
List-Id: <development.lists.ipfire.org>

--===============1068376091108633534==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Merged.

-Michael

On Sun, 2017-09-03 at 16:14 +0200, Peter M=C3=BCller wrote:
> Disable unauthenticated access to cgi-bin/credits.cgi. The page
> leaks the currently installed version of IPFire and the hardware
> architecture.
>=20
> Both information might make a successful attack much easier.
>=20
> This issue can be reproduced by accessing https://[IPFire-IP]:444/cgi-bin/c=
redits.cgi
> and accepting a SSL certificate warning (if any).
>=20
> Signed-off-by: Peter M=C3=BCller <peter.mueller(a)link38.eu>
> ---
> diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd=
/vhosts.d/ipfire-interface-ssl.conf
> index daac75742..4897d56d2 100644
> --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> @@ -42,10 +42,6 @@
>              Satisfy Any
>              Allow from All
>          </Files>
> -        <Files credits.cgi>
> -            Satisfy Any
> -            Allow from All
> -        </Files>
>          <Files dial.cgi>
>              Require user admin
>          </Files>
> diff --git a/config/httpd/vhosts.d/ipfire-interface.conf b/config/httpd/vho=
sts.d/ipfire-interface.conf
> index 8783c632b..c7c05972e 100644
> --- a/config/httpd/vhosts.d/ipfire-interface.conf
> +++ b/config/httpd/vhosts.d/ipfire-interface.conf
> @@ -34,10 +34,6 @@
>              Satisfy Any
>              Allow from All
>          </Files>
> -        <Files credits.cgi>
> -            Satisfy Any
> -            Allow from All
> -        </Files>
>          <Files dial.cgi>
>              Require user admin
>          </Files>

--===============1068376091108633534==
Content-Type: application/pgp-signature
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="signature.asc"
MIME-Version: 1.0

LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KCmlRSXpCQUFCQ2dBZEZpRUU1L3JXNWwzR0dl
Mnlwa3R4Z0hudy8yK1FDUWNGQWxtdE9tUUFDZ2tRZ0hudy8yK1EKQ1FjdzJoQUFzMUFtUWJDc2JF
a2JjMUNXUWNKUUhzS213U1paeEUrc2gwSmtOM1NMYmxkbEJCUVZ5MGtTclpzcQpGRDkwWlZjeU5m
c3VmUWdWdnhwMFppMlIxalRibC8wQnpFaTJGSVR0ZHZVYjFpcUZod2J6SndwUk5ldWdsamhzClov
MGNnWE5EME04TXZVRHNLSXgxaFlHRUpMS1kzSCswUGthQ3kvS3laN1k5N25Xb3ZKWXEzN1RhUVVD
cjBDZ0UKK3cwOXdscGRzNE1lU3FYTWUwQjdZd2lpNE5oSEFBbk40Rllib3B6U0lKUVJLOHR2REFV
Z3hwbCsxRWlyYXQ3TwpKa1Mxdm50QVh6RFdsRGsxNE1nd0FQWkpQS1FvK1lKQkhsMjg5QUdTOFda
TTZuTzRGVG9YRGFIU2laQURqMWVlCitKT0k4NUN2OVpzOVVxQzZvS2FEVGovcllVTWQ2dzlzWjNk
MjVqcDhSMGVUYXgzL2FhYWFYbkpWTDIxZHpKRHoKaUxad0FRWTNuTHZTaVcza2RRT1YxTy8zelNM
V3pROXIxYnYxd3lDY3RBUzQyTFJ3bWFXRkFudnA0bExFbkRRZApjcHl6RkF2dTZydjFEUWR4TUw0
SnJpY1VEWXo5ZkRjRTRjcVlkTVJCSTNvSXhtb1ZnWlJLcFRLZmlxaW9NcmVFCmVYWVE1RER2SlFC
TDdQOTFIM0Zod2YrN2Q5NkxvZ1NkUi92TnFmanFTdWpPMmtpWVNicGl2cmRmYlRQQkVpdFEKbUg5
MklRRHVmSUJWSlF5OE9DN25ibHZHeGtmMnM4cDFFZXg2KzJiOGVyQzdrUFpMNldQa0hDclJvWlE5
K0J5KwpCRGNONkozQVNQSkdUQmx1ZUZ3ZVREVGpXRGhDYzVaNys5c1VhcnBSeUdoR0xwR0c1cHc9
Cj1GK1czCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQo=

--===============1068376091108633534==--