Yes will do. Thanks a lot everyone!
-- df From: [email protected] [mailto:[email protected]] On Behalf Of J?rgen Maas Sent: Thursday, May 08, 2014 9:28 AM To: cobbler mailing list Subject: Re: [cobbler] Cobbler WebUI file inclusion in profile page Yes it can. I think restricting access to the kickstart directory makes sense. Can you please log an issue over at http://github.com/cobbler/cobbler Thanks! On Thu, May 8, 2014 at 8:03 AM, Dolev Farhi <[email protected]<mailto:[email protected]>> wrote: Can this be taken into consideration in next release? -- df -----Original Message----- From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Christopher Liebman Sent: Thursday, May 08, 2014 12:00 AM To: cobbler mailing list Subject: Re: [cobbler] Cobbler WebUI file inclusion in profile page Ahh - interesting viewpoint. On May 7, 2014, at 12:30 PM, Dolev Farhi <[email protected]<mailto:[email protected]>> wrote: > Hi > > This sounds a little weird to me, a user mis configuration leads to crucial > system files exposure? Doesnt it sound reasonable to have some sort of a file > restriction or path restriction to include files from (especially if these > are just kickstart files) > Considering sometimes cobbler deployments are not done by sysadmins or other > IT personnel it is worrying us that pretty much any file is exposed via > cobbler webUI. > ________________________________________ > From: > [email protected]<mailto:[email protected]> > > [[email protected]<mailto:[email protected]>] > on behalf of Christopher Liebman [[email protected]<mailto:[email protected]>] > Sent: Wednesday, May 07, 2014 5:59 PM > To: cobbler mailing list > Subject: Re: [cobbler] Cobbler WebUI file inclusion in profile page > > Hmm, I'm not sure that I would classify a user mis-configuration as a > software security issue. > > -- Chris > > On May 7, 2014, at 4:28 AM, Dolev Farhi > <[email protected]<mailto:[email protected]<mailto:[email protected]>>> wrote: > > hello, > > I would like to know whether this issue has been addressed before: > > I have created a regular cobbler profile, nothing fancy. > > The only thing I did different is changing the ‘Kickstart’ value to the > famous /etc/passwd file. > > After saving the profile, I went to ‘View Kickstart’ and managed to get all > the passwd content. > > This issue allows any remote attacker to get the local users list and I am > quite sure this can be classified as a security vulnerability. > > Please let me know as we have multiple cobbler instances here. > > -- > > df > > > > > > > > > _______________________________________________ > cobbler mailing list > [email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>> > https://lists.fedorahosted.org/mailman/listinfo/cobbler > > _______________________________________________ > cobbler mailing list > [email protected]<mailto:[email protected]> > https://lists.fedorahosted.org/mailman/listinfo/cobbler _______________________________________________ cobbler mailing list [email protected]<mailto:[email protected]> https://lists.fedorahosted.org/mailman/listinfo/cobbler _______________________________________________ cobbler mailing list [email protected]<mailto:[email protected]> https://lists.fedorahosted.org/mailman/listinfo/cobbler -- Grtz, Jörgen Maas
_______________________________________________ cobbler mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/cobbler
