You are here: Foswiki>Tasks Web>Item10018 (15 Mar 2012, GeorgeClark)Edit Attach

Item10018: Error in Apache Config generator (protecting configure script)

pencil
Priority: Normal
Current State: Closed
Released In: n/a
Target Release: n/a
Applies To: Web Site
Component: ApacheConfigGenerator
Branches:
Reported By: PeterMuchmann
Waiting For:
Last Change By: GeorgeClark
If I generate an apache config with the apache config generator and enter no IP address in Section "Protect the bin/configure command", enter one username in the box and leave the switch between the IP address box and the user name box marked "OR", the following syntax is generated:

    # Limit access to configure to specific IP address(es) and user(s).
    # Make sure configure is not open to the general public.
    # It exposes system details that can help attackers.
    # cf. http://foswiki.org/Support/ProtectingYourConfiguration for details.
    <FilesMatch "^(configure)$">
        SetHandler cgi-script
        Require user XYZ
        Satisfy Any
        ErrorDocument 401 default
    </FilesMatch>

-> that means everyone is able to use the configure script!

I think the script should automatically generate "Satisfy All" if either no IP address or no username is given. Alternatively it would be better to default the switch to AND instead of OR.

-- PeterMuchmann - 13 Nov 2010

Thanks, Support/ApacheConfigGenerator and Support/NewApacheConfigGenerator have been updated to default to AND. Leaving this task open until further testing is done.

-- GeorgeClark - 14 Nov 2010
 

ItemTemplate edit

Summary Error in Apache Config generator (protecting configure script)
ReportedBy PeterMuchmann
Codebase 1.1.2
SVN Range
AppliesTo Web Site
Component ApacheConfigGenerator
Priority Normal
CurrentState Closed
WaitingFor
Checkins
TargetRelease n/a
ReleasedIn n/a
CheckinsOnBranches
trunkCheckins
Release01x01Checkins
Topic revision: r4 - 15 Mar 2012, GeorgeClark - This page was cached on 24 Nov 2017 - 05:18.

The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License