Disable unauthenticated access to cgi-bin/credits.cgi. The page leaks the currently installed version of IPFire and the hardware architecture.
Both information might make a successful attack much easier.
This issue can be reproduced by accessing https://%5BIPFire-IP%5D:444/cgi-bin/credits.cgi and accepting a SSL certificate warning (if any).
Signed-off-by: Peter Müller peter.mueller@link38.eu --- diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf index daac75742..4897d56d2 100644 --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf @@ -42,10 +42,6 @@ Satisfy Any Allow from All </Files> - <Files credits.cgi> - Satisfy Any - Allow from All - </Files> <Files dial.cgi> Require user admin </Files> diff --git a/config/httpd/vhosts.d/ipfire-interface.conf b/config/httpd/vhosts.d/ipfire-interface.conf index 8783c632b..c7c05972e 100644 --- a/config/httpd/vhosts.d/ipfire-interface.conf +++ b/config/httpd/vhosts.d/ipfire-interface.conf @@ -34,10 +34,6 @@ Satisfy Any Allow from All </Files> - <Files credits.cgi> - Satisfy Any - Allow from All - </Files> <Files dial.cgi> Require user admin </Files>
Merged.
-Michael
On Sun, 2017-09-03 at 16:14 +0200, Peter Müller wrote:
Disable unauthenticated access to cgi-bin/credits.cgi. The page leaks the currently installed version of IPFire and the hardware architecture.
Both information might make a successful attack much easier.
This issue can be reproduced by accessing https://%5BIPFire-IP%5D:444/cgi-bin/credits.cgi and accepting a SSL certificate warning (if any).
Signed-off-by: Peter Müller peter.mueller@link38.eu
diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf index daac75742..4897d56d2 100644 --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf @@ -42,10 +42,6 @@ Satisfy Any Allow from All </Files>
<Files credits.cgi>Satisfy AnyAllow from All</Files> <Files dial.cgi> Require user admin </Files>diff --git a/config/httpd/vhosts.d/ipfire-interface.conf b/config/httpd/vhosts.d/ipfire-interface.conf index 8783c632b..c7c05972e 100644 --- a/config/httpd/vhosts.d/ipfire-interface.conf +++ b/config/httpd/vhosts.d/ipfire-interface.conf @@ -34,10 +34,6 @@ Satisfy Any Allow from All </Files>
<Files credits.cgi>Satisfy AnyAllow from All</Files> <Files dial.cgi> Require user admin </Files>
-
Michael Tremer -
Peter Müller