[HINT] - right webserver config to avoid Security issues

Ask community to help.

Moderators: Amaradana, TurboPT, TL Developers

[HINT] - right webserver config to avoid Security issues

Postby GunnarD » Fri Aug 10, 2012 8:39 am

Everybody can read testlinks logs without logging in!

Same thing with the uploads directory, if your webserver allow you to browse directory you can get all uploaded documents!

Should be the same with all files that does not end with .html or .php (any files that the web server docent process).

Simple solution:
In every directory that should not be accessed by an URL put an .htaccess file there to disable access, php script can still access does directorys.
GunnarD
 

Re: [HINT] - right webserver config to avoid Security issues

Postby fman » Fri Aug 17, 2012 7:55 am

And we got a vulnerability!! These problems (an other) has been reported on:
http://itsecuritysolutions.org/2012-08- ... abilities/
http://www.metasploit.com/modules/explo ... pload_exec

We are going to add on distribution solution provided by GunnarD, but this will work out of the box only for APACHE (AFAIK),
this means we need to provide warning while installating
Better solution:
move OUT OF WEB SERVER accesible resources upload area and logs (this need I think no too much effort)
fman
Member of TestLink Community
 
Posts: 3063
Joined: Tue Nov 15, 2005 7:19 am


Return to Installation and configuration



Who is online

Users browsing this forum: No registered users and 1 guest