You are here: Foswiki>Tasks Web>Item12984 (24 Dec 2014, GeorgeClark)Edit Attach

Item12984: Incorrect warning about unprotected "configure" script

pencil
Priority: Low
Current State: No Action Required
Released In: n/a
Target Release: n/a
Applies To: Engine
Component: Configure
Branches:
Reported By: DavidTonhofer
Waiting For:
Last Change By: GeorgeClark
Install Foswiki.

The whole URI tree is protected by HTTP authentication at the Foswiki root URI.

So to even get to "configure", you have perform HTTP-level authentication.

The configure script shows: 

High security risk!

This screen was accessed without requiring authentication. You should always make sure the configuration interface requires authentication, or it may be used by a hacker to modify your Foswiki configuration.

See Protecting Your Configuration for more information on limiting access to configuration.

This is a confusing warning; can that script check whether HTTP authentication is active and not display the above?

This is completely eliminated in the upcoming Foswiki 1.2. Configure is "just another script", protected through foswiki ACL-like checks. Setting to no action.

-- GeorgeClark - 24 Dec 2014

ItemTemplate edit

Summary Incorrect warning about unprotected "configure" script
ReportedBy DavidTonhofer
Codebase 1.1.9
SVN Range
AppliesTo Engine
Component Configure
Priority Low
CurrentState No Action Required
WaitingFor
Checkins
TargetRelease n/a
ReleasedIn n/a
CheckinsOnBranches
trunkCheckins
masterCheckins
ItemBranchCheckins
Release01x01Checkins
Edit  | Attach | Print version | History: r2 < r1 | Backlinks | View wiki text | Edit wiki text | More topic actions
Topic revision: r2 - 24 Dec 2014, GeorgeClark
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy