Item10018: Error in Apache Config generator (protecting configure script)
Current State: Closed
Released In: n/a
Target Release: n/a
If I generate an apache config with the apache config generator and enter no IP address in Section "Protect the bin/configure command", enter one username in the box and leave the switch between the IP address box and the user name box marked "OR", the following syntax is generated:
# Limit access to configure to specific IP address(es) and user(s).
# Make sure configure is not open to the general public.
# It exposes system details that can help attackers.
# cf. http://foswiki.org/Support/ProtectingYourConfiguration for details.
Require user XYZ
ErrorDocument 401 default
-> that means everyone is able to use the configure script!
I think the script should automatically generate "Satisfy All" if either no IP address or no username is given. Alternatively it would be better to default the switch to AND instead of OR.
- 13 Nov 2010
have been updated to default to AND. Leaving this task open until further testing is done.
- 14 Nov 2010