Hi
This sounds a little weird to me, a user mis configuration leads to crucial
system files exposure? Doesnt it sound reasonable to have some sort of a file
restriction or path restriction to include files from (especially if these are
just kickstart files)
Considering sometimes cobbler deployments are not done by sysadmins or other IT
personnel it is worrying us that pretty much any file is exposed via cobbler
webUI.
________________________________________
From: [email protected]
[[email protected]] on behalf of Christopher Liebman
[[email protected]]
Sent: Wednesday, May 07, 2014 5:59 PM
To: cobbler mailing list
Subject: Re: [cobbler] Cobbler WebUI file inclusion in profile page
Hmm, I'm not sure that I would classify a user mis-configuration as a software
security issue.
-- Chris
On May 7, 2014, at 4:28 AM, Dolev Farhi <[email protected]<mailto:[email protected]>>
wrote:
hello,
I would like to know whether this issue has been addressed before:
I have created a regular cobbler profile, nothing fancy.
The only thing I did different is changing the ‘Kickstart’ value to the famous
/etc/passwd file.
After saving the profile, I went to ‘View Kickstart’ and managed to get all the
passwd content.
This issue allows any remote attacker to get the local users list and I am
quite sure this can be classified as a security vulnerability.
Please let me know as we have multiple cobbler instances here.
--
df
_______________________________________________
cobbler mailing list
[email protected]<mailto:[email protected]>
https://lists.fedorahosted.org/mailman/listinfo/cobbler
_______________________________________________
cobbler mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/cobbler
