Can this be taken into consideration in next release?
-- df -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Christopher Liebman Sent: Thursday, May 08, 2014 12:00 AM To: cobbler mailing list Subject: Re: [cobbler] Cobbler WebUI file inclusion in profile page Ahh - interesting viewpoint. On May 7, 2014, at 12:30 PM, Dolev Farhi <[email protected]> wrote: > Hi > > This sounds a little weird to me, a user mis configuration leads to crucial > system files exposure? Doesnt it sound reasonable to have some sort of a file > restriction or path restriction to include files from (especially if these > are just kickstart files) > Considering sometimes cobbler deployments are not done by sysadmins or other > IT personnel it is worrying us that pretty much any file is exposed via > cobbler webUI. > ________________________________________ > From: [email protected] > [[email protected]] on behalf of Christopher Liebman > [[email protected]] > Sent: Wednesday, May 07, 2014 5:59 PM > To: cobbler mailing list > Subject: Re: [cobbler] Cobbler WebUI file inclusion in profile page > > Hmm, I'm not sure that I would classify a user mis-configuration as a > software security issue. > > -- Chris > > On May 7, 2014, at 4:28 AM, Dolev Farhi > <[email protected]<mailto:[email protected]>> wrote: > > hello, > > I would like to know whether this issue has been addressed before: > > I have created a regular cobbler profile, nothing fancy. > > The only thing I did different is changing the ‘Kickstart’ value to the > famous /etc/passwd file. > > After saving the profile, I went to ‘View Kickstart’ and managed to get all > the passwd content. > > This issue allows any remote attacker to get the local users list and I am > quite sure this can be classified as a security vulnerability. > > Please let me know as we have multiple cobbler instances here. > > -- > > df > > > > > > > > > _______________________________________________ > cobbler mailing list > [email protected]<mailto:[email protected]> > https://lists.fedorahosted.org/mailman/listinfo/cobbler > > _______________________________________________ > cobbler mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/cobbler _______________________________________________ cobbler mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/cobbler _______________________________________________ cobbler mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/cobbler
