Yes it can. I think restricting access to the kickstart directory makes sense. Can you please log an issue over at http://github.com/cobbler/cobbler
Thanks! On Thu, May 8, 2014 at 8:03 AM, Dolev Farhi <[email protected]> wrote: > Can this be taken into consideration in next release? > > > > > -- > df > > -----Original Message----- > From: [email protected] [mailto: > [email protected]] On Behalf Of Christopher Liebman > Sent: Thursday, May 08, 2014 12:00 AM > To: cobbler mailing list > Subject: Re: [cobbler] Cobbler WebUI file inclusion in profile page > > Ahh - interesting viewpoint. > > On May 7, 2014, at 12:30 PM, Dolev Farhi <[email protected]> wrote: > > > Hi > > > > This sounds a little weird to me, a user mis configuration leads to > crucial system files exposure? Doesnt it sound reasonable to have some sort > of a file restriction or path restriction to include files from (especially > if these are just kickstart files) > > Considering sometimes cobbler deployments are not done by sysadmins or > other IT personnel it is worrying us that pretty much any file is exposed > via cobbler webUI. > > ________________________________________ > > From: [email protected] [ > [email protected]] on behalf of Christopher Liebman [ > [email protected]] > > Sent: Wednesday, May 07, 2014 5:59 PM > > To: cobbler mailing list > > Subject: Re: [cobbler] Cobbler WebUI file inclusion in profile page > > > > Hmm, I'm not sure that I would classify a user mis-configuration as a > software security issue. > > > > -- Chris > > > > On May 7, 2014, at 4:28 AM, Dolev Farhi <[email protected]<mailto: > [email protected]>> wrote: > > > > hello, > > > > I would like to know whether this issue has been addressed before: > > > > I have created a regular cobbler profile, nothing fancy. > > > > The only thing I did different is changing the ‘Kickstart’ value to the > famous /etc/passwd file. > > > > After saving the profile, I went to ‘View Kickstart’ and managed to get > all the passwd content. > > > > This issue allows any remote attacker to get the local users list and I > am quite sure this can be classified as a security vulnerability. > > > > Please let me know as we have multiple cobbler instances here. > > > > -- > > > > df > > > > > > > > > > > > > > > > > > _______________________________________________ > > cobbler mailing list > > [email protected]<mailto:[email protected]> > > https://lists.fedorahosted.org/mailman/listinfo/cobbler > > > > _______________________________________________ > > cobbler mailing list > > [email protected] > > https://lists.fedorahosted.org/mailman/listinfo/cobbler > > _______________________________________________ > cobbler mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/cobbler > _______________________________________________ > cobbler mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/cobbler > -- Grtz, Jörgen Maas
_______________________________________________ cobbler mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/cobbler
