You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I've already tried to report security issues privately via mail (message-id 20140520102828.30d346b6@xantho) on 20/05/2014 but didn't get any reply, thus I'm filing a public report.
In the default template config, at lg.conf:18 the default path for SSH keypairs is /var/www/.ssh, and the software README doesn't suggest any additional protections.
/var/www/ is the default web docroot in many distributions (eg. all Debian stable and Ubuntu LTS), and as such files may be directly served from there by the web server.
The text was updated successfully, but these errors were encountered:
lucab
changed the title
CVE-2014-3929: Unsafe default SSH keypairs path in default config
CVE-2014-3929: Unsafe SSH keypairs path in default config
Jun 2, 2014
I've already tried to report security issues privately via mail (message-id 20140520102828.30d346b6@xantho) on 20/05/2014 but didn't get any reply, thus I'm filing a public report.
In the default template config, at
lg.conf:18
the default path for SSH keypairs is/var/www/.ssh
, and the software README doesn't suggest any additional protections./var/www/
is the default web docroot in many distributions (eg. all Debian stable and Ubuntu LTS), and as such files may be directly served from there by the web server.A possible solutions would be as suggested in #4.
cc @emdel for credits
The text was updated successfully, but these errors were encountered: