Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2014-3928: Unsafe configuration file path/ACL #4

Closed
lucab opened this issue Jun 2, 2014 · 2 comments

Comments

Projects
None yet
2 participants
@lucab
Copy link

commented Jun 2, 2014

I've already tried to report security issues privately via mail (message-id 20140520102828.30d346b6@xantho) on 20/05/2014 but didn't get any reply, thus I'm filing a public report.

Config filename is hardcoded at lg.cgi:299. As such, IPs and credentials are stored in a plain file named lg.conf under the same web directory, and the software README doesn't suggest any additional protection.

In order to avoid exposing credentials through the web, it would be better to move this file outside of the web root, or suggesting proper ACL for webserver configuration.

cc @emdel for credits

@lucab lucab changed the title CVE-2014-3928: unsafe config path/ACL CVE-2014-3928: Unsafe config path/ACL Jun 2, 2014

@lucab lucab changed the title CVE-2014-3928: Unsafe config path/ACL CVE-2014-3928: Unsafe configuration file path/ACL Jun 2, 2014

@Cougar Cougar added the security label Jun 22, 2014

@Cougar

This comment has been minimized.

Copy link
Owner

commented Jun 22, 2014

Actually you can't read any file from directory as long as the server configuration is right:

ScriptAlias /lg /usr/local/httpd/htdocs/lg/lg.cgi

However I'll add a notice to the README file too

Cougar added a commit that referenced this issue Jun 22, 2014

Suggest config file location change outside web root
Closes #4: CVE-2014-3928: Unsafe configuration file path/ACL

@Cougar Cougar closed this Jun 22, 2014

Cougar added a commit that referenced this issue Jun 22, 2014

Suggest config file location change outside web root
Closes #4: CVE-2014-3928: Unsafe configuration file path/ACL

(cherry picked from commit b7c8a7a)
@lucab

This comment has been minimized.

Copy link
Author

commented Jul 1, 2014

This is a cumulative thanks for all the fixes.
Regarding this single issue, we spot several publicly readable lg.conf so that we tought it was worthy to report it and suggest to move the file outside of the webroot.
Would you mind tagging a release with all the patches?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.