Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security fix: unauthorized access #10091

Merged
merged 2 commits into from Apr 12, 2019

Conversation

Projects
None yet
1 participant
@murrant
Copy link
Member

commented Apr 11, 2019

Affects nginx users:
Moved php files outside of public html directory (Apache was protected by .htaccess)
Some files could be accessed directly, leaking some information, like the version in about.inc.php but not statistics because it doesn't have DB access.

Affects all users:
Some files did not check for authentication and could disclose some info.
Better checks before including files from user input

DO NOT DELETE THIS TEXT

Please note

Please read this information carefully. You can run ./scripts/pre-commit.php to check your code before submitting.

Testers

If you would like to test this pull request then please run: ./scripts/github-apply <pr_id>, i.e ./scripts/github-apply 5926
After you are done testing, you can remove the changes with ./scripts/github-remove. If there are schema changes, you can ask on discord how to revert.

@murrant murrant added the Security label Apr 11, 2019

@murrant murrant force-pushed the murrant:html-secure branch 2 times, most recently from 2cf7f48 to 2eeb0a5 Apr 11, 2019

murrant added some commits Apr 10, 2019

Security fix: unauthorized access
Affects nginx users:
Moved php files outside of public html directory (Apache was protected by .htaccess)

Affects all users:
Some files did not check for authentication and could disclose some info.
Better checks before including files from user input
git mv html/includes/ includes/html
git mv html/pages/ includes/html/

@murrant murrant force-pushed the murrant:html-secure branch from 2eeb0a5 to 670384d Apr 12, 2019

@murrant murrant merged commit 36431dd into librenms:master Apr 12, 2019

3 of 5 checks passed

Travis CI - Pull Request Build Errored
Details
codeclimate Code Climate is analyzing this code.
Details
Inspection Summary
Details
WIP Ready for review
Details
license/cla Contributor License Agreement is signed.
Details

murrant added a commit that referenced this pull request Apr 13, 2019

@laf laf deleted the murrant:html-secure branch Apr 14, 2019

funzoneq added a commit to funzoneq/librenms that referenced this pull request Apr 30, 2019

Security fix: unauthorized access (librenms#10091)
* Security fix: unauthorized access
Affects nginx users:
Moved php files outside of public html directory (Apache was protected by .htaccess)

Affects all users:
Some files did not check for authentication and could disclose some info.
Better checks before including files from user input

* git mv html/includes/ includes/html
git mv html/pages/ includes/html/

spencerbutler added a commit to spencerbutler/librenms that referenced this pull request May 21, 2019

Security fix: unauthorized access (librenms#10091)
* Security fix: unauthorized access
Affects nginx users:
Moved php files outside of public html directory (Apache was protected by .htaccess)

Affects all users:
Some files did not check for authentication and could disclose some info.
Better checks before including files from user input

* git mv html/includes/ includes/html
git mv html/pages/ includes/html/
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.