From mboxrd@z Thu Jan  1 00:00:00 1970
From: Peter =?utf-8?q?M=C3=BCller?= <peter.mueller@link38.eu>
To: development@lists.ipfire.org
Subject: [PATCH] fix WebUI system information leak
Date: Sun, 03 Sep 2017 16:14:53 +0200
Message-ID: <20170903161453.1e018d7c.peter.mueller@link38.eu>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============2870615610670781667=="
List-Id: <development.lists.ipfire.org>

--===============2870615610670781667==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Disable unauthenticated access to cgi-bin/credits.cgi. The page
leaks the currently installed version of IPFire and the hardware
architecture.

Both information might make a successful attack much easier.

This issue can be reproduced by accessing https://[IPFire-IP]:444/cgi-bin/cre=
dits.cgi
and accepting a SSL certificate warning (if any).

Signed-off-by: Peter M=C3=BCller <peter.mueller(a)link38.eu>
---
diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/v=
hosts.d/ipfire-interface-ssl.conf
index daac75742..4897d56d2 100644
--- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
+++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
@@ -42,10 +42,6 @@
             Satisfy Any
             Allow from All
         </Files>
-        <Files credits.cgi>
-            Satisfy Any
-            Allow from All
-        </Files>
         <Files dial.cgi>
             Require user admin
         </Files>
diff --git a/config/httpd/vhosts.d/ipfire-interface.conf b/config/httpd/vhost=
s.d/ipfire-interface.conf
index 8783c632b..c7c05972e 100644
--- a/config/httpd/vhosts.d/ipfire-interface.conf
+++ b/config/httpd/vhosts.d/ipfire-interface.conf
@@ -34,10 +34,6 @@
             Satisfy Any
             Allow from All
         </Files>
-        <Files credits.cgi>
-            Satisfy Any
-            Allow from All
-        </Files>
         <Files dial.cgi>
             Require user admin
         </Files>

--===============2870615610670781667==--