New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2014-3928: Unsafe configuration file path/ACL #4
Comments
Actually you can't read any file from directory as long as the server configuration is right:
However I'll add a notice to the README file too |
Closes #4: CVE-2014-3928: Unsafe configuration file path/ACL
Closes #4: CVE-2014-3928: Unsafe configuration file path/ACL (cherry picked from commit b7c8a7a)
This is a cumulative thanks for all the fixes. |
I've already tried to report security issues privately via mail (message-id 20140520102828.30d346b6@xantho) on 20/05/2014 but didn't get any reply, thus I'm filing a public report.
Config filename is hardcoded at
lg.cgi:299
. As such, IPs and credentials are stored in a plain file namedlg.conf
under the same web directory, and the softwareREADME
doesn't suggest any additional protection.In order to avoid exposing credentials through the web, it would be better to move this file outside of the web root, or suggesting proper ACL for webserver configuration.
cc @emdel for credits
The text was updated successfully, but these errors were encountered: