Closed
Description
hi,
As discussed in mailing lists, it makes sense restricting access to the kickstart directory in cobbler, so local file inclusions other than kickstart files are prohibited.
by specifiying 'Kickstart' value to /etc/passwd or any other crucial system file, local files are exposed by the cobbler web_ui and is a security vulnerability.
this issue has been opened here after discussion with Jorgen Maas.
Thanks,
Dolev Farhi, F5 Networks Inc