Package: mantis
Version: 1.2.11-1.2
Severity: normal
Dear Maintainer,
The default mantis config allows for directory listings in
all subfolders (e.g. api/). This is not needed and might cause
a security problem.
I would therefore recommend to add
Options -Indexes
to /etc/mantis/apache.conf by default. (see my file below)
thanks for your work
Nicola
-- Configuration Files:
/etc/mantis/apache.conf changed:
Alias /mantis /usr/share/mantis/www
<Directory /usr/share/mantis/www>
#
# Disable these options (as needed) to improve PHP configuration
#
#php_admin_flag display_errors Off
#php_admin_flag log_errors On
#php_admin_flag html_errors Off
#php_admin_flag allow_url_fopen Off
#php_admin_flag safe_mode On
#php_admin_value upload_tmp_dir "/tmp"
#php_admin_value open_basedir
"/usr/share/mantis/www/:/etc/mantis/:/usr/share/php/libphp-phpmailer/:/usr/share/php/adodb/:/tmp/"
#php_admin_value disable_functions
"exec,passthru,popen,proc_open,shell_exec,system,socket_create,fsockopen,pfsockopen"
Options +FollowSymLinks
Options -Indexes
AllowOverride None
Order allow,deny
Allow from all
AddType application/x-httpd-php .php .phtml
<IfModule mod_php5.c>
php_flag magic_quotes_gpc Off
php_flag track_vars On
php_value include_path .:/usr/share/php:/usr/share
</IfModule>
DirectoryIndex index.php
</Directory>
<Directory /usr/share/mantis/www/admin>
AuthType Basic
AuthName "Restricted Admin mantis"
AuthUserFile /etc/mantis/htaccess.dat
Require valid-user
</Directory>
-- debconf information excluded
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
