Package: mantis Version: 1.2.11-1.2 Severity: normal Dear Maintainer,
The default mantis config allows for directory listings in all subfolders (e.g. api/). This is not needed and might cause a security problem. I would therefore recommend to add Options -Indexes to /etc/mantis/apache.conf by default. (see my file below) thanks for your work Nicola -- Configuration Files: /etc/mantis/apache.conf changed: Alias /mantis /usr/share/mantis/www <Directory /usr/share/mantis/www> # # Disable these options (as needed) to improve PHP configuration # #php_admin_flag display_errors Off #php_admin_flag log_errors On #php_admin_flag html_errors Off #php_admin_flag allow_url_fopen Off #php_admin_flag safe_mode On #php_admin_value upload_tmp_dir "/tmp" #php_admin_value open_basedir "/usr/share/mantis/www/:/etc/mantis/:/usr/share/php/libphp-phpmailer/:/usr/share/php/adodb/:/tmp/" #php_admin_value disable_functions "exec,passthru,popen,proc_open,shell_exec,system,socket_create,fsockopen,pfsockopen" Options +FollowSymLinks Options -Indexes AllowOverride None Order allow,deny Allow from all AddType application/x-httpd-php .php .phtml <IfModule mod_php5.c> php_flag magic_quotes_gpc Off php_flag track_vars On php_value include_path .:/usr/share/php:/usr/share </IfModule> DirectoryIndex index.php </Directory> <Directory /usr/share/mantis/www/admin> AuthType Basic AuthName "Restricted Admin mantis" AuthUserFile /etc/mantis/htaccess.dat Require valid-user </Directory> -- debconf information excluded -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org