[HINT] - right webserver config to avoid Security issues

Ask community to help.

Moderators: Amaradana, TurboPT, TL Developers

[HINT] - right webserver config to avoid Security issues

Postby GunnarD » Fri Aug 10, 2012 8:39 am

Everybody can read testlinks logs without logging in!

Same thing with the uploads directory, if your webserver allow you to browse directory you can get all uploaded documents!

Should be the same with all files that does not end with .html or .php (any files that the web server docent process).

Simple solution:
In every directory that should not be accessed by an URL put an .htaccess file there to disable access, php script can still access does directorys.

Re: [HINT] - right webserver config to avoid Security issues

Postby fman » Fri Aug 17, 2012 7:55 am

And we got a vulnerability!! These problems (an other) has been reported on:
http://itsecuritysolutions.org/2012-08- ... abilities/
http://www.metasploit.com/modules/explo ... pload_exec

We are going to add on distribution solution provided by GunnarD, but this will work out of the box only for APACHE (AFAIK),
this means we need to provide warning while installating
Better solution:
move OUT OF WEB SERVER accesible resources upload area and logs (this need I think no too much effort)
Member of TestLink Community
Posts: 3088
Joined: Tue Nov 15, 2005 7:19 am

Return to Installation and configuration

Who is online

Users browsing this forum: No registered users and 4 guests