Re: [PATCH] force transport encryption for WebUI logins

23 Sep 2017

Hello Matthias,
tanks for reporting this. I am trying to reproduce here...
Best regards,
Peter Müller
...
Hi Peter,
Please review this patch... (http://patchwork.ipfire.org/patch/1413/)
During testing I found that every machine in my GREEN net was suddenly
able to login through https://%5BIPFIRE_GREEN_ADDRESS%5D:%5B444].
No question for admin-username, no password authentification request,
nothing.
It seems as as if the Authentication Header is missing(?).
Only when I remove the "Require ssl" lines (I did this in both files), a
browser restart leads to the usual login procedure.
Best,
Matthias
On 08.09.2017 19:19, Peter Müller wrote:
...
Force SSL/TLS for any WebUI directory which requires an authentication.
This prevents credentials from being transmitted in plaintext, which is
an information leak.
Scenario: A MITM attacker might block all encrypted traffic to the
firewall's web interface, making the administrator using an unencrypted
connection (i.e. via port 81). Username and password can be easily
logged in transit then.
Signed-off-by: Peter Müller peter.mueller@link38.eu

diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
index 6f353962e..5ceaa1f32 100644
--- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
+++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
@@ -24,6 +26,7 @@
         AuthType Basic
         AuthUserFile /var/ipfire/auth/users
         Require user admin

   Require ssl

   </DirectoryMatch>
   ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/
   <Directory /srv/web/ipfire/cgi-bin>


@@ -33,6 +36,7 @@
         AuthType Basic
         AuthUserFile /var/ipfire/auth/users
         Require user admin

   Require ssl
   <Files chpasswd.cgi>
       Require all granted
   </Files>



@@ -50,6 +54,7 @@
         AuthType Basic
         AuthUserFile /var/ipfire/auth/users
         Require user dial admin

   Require ssl

   </Directory>
   <Files ~ "\.(cgi|shtml?)$">
 SSLOptions +StdEnvVars


@@ -86,5 +91,6 @@
         AuthType Basic
         AuthUserFile /var/ipfire/auth/users
         Require user admin

   Require ssl

   </Directory>


 </VirtualHost>
diff --git a/config/httpd/vhosts.d/ipfire-interface.conf b/config/httpd/vhosts.d/ipfire-interface.conf
index 619f90fcc..58d1b54cd 100644
--- a/config/httpd/vhosts.d/ipfire-interface.conf
+++ b/config/httpd/vhosts.d/ipfire-interface.conf
@@ -16,6 +16,7 @@
         AuthType Basic
         AuthUserFile /var/ipfire/auth/users
         Require user admin
+        Require ssl
     </DirectoryMatch>
     ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/
     <Directory /srv/web/ipfire/cgi-bin>
@@ -25,6 +26,7 @@
         AuthType Basic
         AuthUserFile /var/ipfire/auth/users
         Require user admin
+        Require ssl
          <Files chpasswd.cgi>
             Require all granted
         </Files>
@@ -42,6 +44,7 @@
         AuthType Basic
         AuthUserFile /var/ipfire/auth/users
         Require user dial admin
+        Require ssl
     </Directory>
     Alias /updatecache/ /var/updatecache/
   <Directory /var/updatecache>

    

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Re: [PATCH] force transport encryption for WebUI logins

Signed-off-by: Peter Müller peter.mueller@link38.eu