Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2014-3928: Unsafe configuration file path/ACL #4

Closed
lucab opened this issue Jun 2, 2014 · 2 comments
Closed

CVE-2014-3928: Unsafe configuration file path/ACL #4

lucab opened this issue Jun 2, 2014 · 2 comments
Labels
security

Comments

@lucab
Copy link

lucab commented Jun 2, 2014

I've already tried to report security issues privately via mail (message-id 20140520102828.30d346b6@xantho) on 20/05/2014 but didn't get any reply, thus I'm filing a public report.

Config filename is hardcoded at lg.cgi:299. As such, IPs and credentials are stored in a plain file named lg.conf under the same web directory, and the software README doesn't suggest any additional protection.

In order to avoid exposing credentials through the web, it would be better to move this file outside of the web root, or suggesting proper ACL for webserver configuration.

cc @emdel for credits
@lucab lucab mentioned this issue Jun 2, 2014
Closed
@lucab lucab changed the title CVE-2014-3928: unsafe config path/ACL CVE-2014-3928: Unsafe config path/ACL Jun 2, 2014
@lucab lucab changed the title CVE-2014-3928: Unsafe config path/ACL CVE-2014-3928: Unsafe configuration file path/ACL Jun 2, 2014
@Cougar
Copy link
Owner

Cougar commented Jun 22, 2014

Actually you can't read any file from directory as long as the server configuration is right:

ScriptAlias /lg /usr/local/httpd/htdocs/lg/lg.cgi

However I'll add a notice to the README file too

Cougar added a commit that referenced this issue Jun 22, 2014
@Cougar
Suggest config file location change outside web root
b7c8a7a 
Closes #4: CVE-2014-3928: Unsafe configuration file path/ACL
@Cougar Cougar closed this as completed Jun 22, 2014
Cougar added a commit that referenced this issue Jun 22, 2014
@Cougar
Suggest config file location change outside web root
c0d8263 
Closes #4: CVE-2014-3928: Unsafe configuration file path/ACL

(cherry picked from commit b7c8a7a)
@lucab
Copy link
Author

lucab commented Jul 1, 2014

This is a cumulative thanks for all the fixes.
Regarding this single issue, we spot several publicly readable lg.conf so that we tought it was worthy to report it and suggest to move the file outside of the webroot.
Would you mind tagging a release with all the patches?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Cougar @lucab