You are here: Foswiki>Tasks Web>Item10018 (15 Mar 2012, GeorgeClark)Edit Attach

Item10018: Error in Apache Config generator (protecting configure script)

Priority: Normal
Current State: Closed
Released In: n/a
Target Release: n/a
Applies To: Web Site
Component: ApacheConfigGenerator
Reported By: PeterMuchmann
Waiting For:
Last Change By: GeorgeClark
If I generate an apache config with the apache config generator and enter no IP address in Section "Protect the bin/configure command", enter one username in the box and leave the switch between the IP address box and the user name box marked "OR", the following syntax is generated:

    # Limit access to configure to specific IP address(es) and user(s).
    # Make sure configure is not open to the general public.
    # It exposes system details that can help attackers.
    # cf. for details.
    <FilesMatch "^(configure)$">
        SetHandler cgi-script
        Require user XYZ
        Satisfy Any
        ErrorDocument 401 default

-> that means everyone is able to use the configure script!

I think the script should automatically generate "Satisfy All" if either no IP address or no username is given. Alternatively it would be better to default the switch to AND instead of OR.

-- PeterMuchmann - 13 Nov 2010

Thanks, Support/ApacheConfigGenerator and Support/NewApacheConfigGenerator have been updated to default to AND. Leaving this task open until further testing is done.

-- GeorgeClark - 14 Nov 2010

ItemTemplate edit

Summary Error in Apache Config generator (protecting configure script)
ReportedBy PeterMuchmann
Codebase 1.1.2
SVN Range
AppliesTo Web Site
Component ApacheConfigGenerator
Priority Normal
CurrentState Closed
TargetRelease n/a
ReleasedIn n/a
Topic revision: r4 - 15 Mar 2012, GeorgeClark - This page was cached on 18 Feb 2018 - 16:37.

The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License