Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2014-3929: Unsafe SSH keypairs path in default config #5

Closed
lucab opened this issue Jun 2, 2014 · 0 comments

Comments

Projects
None yet
2 participants
@lucab
Copy link

commented Jun 2, 2014

I've already tried to report security issues privately via mail (message-id 20140520102828.30d346b6@xantho) on 20/05/2014 but didn't get any reply, thus I'm filing a public report.

In the default template config, at lg.conf:18 the default path for SSH keypairs is /var/www/.ssh, and the software README doesn't suggest any additional protections.

/var/www/ is the default web docroot in many distributions (eg. all Debian stable and Ubuntu LTS), and as such files may be directly served from there by the web server.

A possible solutions would be as suggested in #4.

cc @emdel for credits

@lucab lucab changed the title CVE-2014-3929: Unsafe default SSH keypairs path in default config CVE-2014-3929: Unsafe SSH keypairs path in default config Jun 2, 2014

@Cougar Cougar added the security label Jun 22, 2014

Cougar added a commit that referenced this issue Jun 22, 2014

Suggest config file location change outside web root
Closes #5: CVE-2014-3929: Unsafe SSH keypairs path in default config

@Cougar Cougar closed this Jun 22, 2014

Cougar added a commit that referenced this issue Jun 22, 2014

Suggest config file location change outside web root
Closes #5: CVE-2014-3929: Unsafe SSH keypairs path in default config

(cherry picked from commit 856cba2)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.