Hello!
We have been announced by external audit about the potential
vulnerability in config.json file that is available on web at url path
/assets/config.json (like https://demo.dspace.org/assets/config.json )
and physically stored among deployed dSpace web files in the same
directory. The report is attached below. This config file contains
configuration values that may expose external architecture, like
internal port of node.js.
We have solved this issue by prohibiting access to the file in apache
configuration - we have added to httpd.conf:
<Location "/assets/config.json">
Require all denied
</Location>
Has anybody more faced this issue, please? It refers to all dSpace
version 7-9 and probably should be solved generally.
Thanks advance and happy dSpacing!
Matyas F. Bajger
University of Ostrava - University library
https://library.osu.eu
*-----------------------------------------------------------------------------------------------------------------------------------*
*
*
*Summary of the Issue*
Issue Type: Exposed config.json / Information Disclosure
Technology: HTTP / JSON Configuration File
Severity: Critical
Affected Host: https://eduard.osu.cz/assets/config.json
Description
During testing, it was observed that the config.json file is publicly
accessible on the affected host. The file discloses base URL
configuration values, including references such as
"http://localhost:4000/"; and "https://eduo.osu.cz/server";. This
information may expose internal service architecture and could be
leveraged by an attacker for further reconnaissance or exploitation.
No sensitive credentials or active exploitation was observed during testing.
Potential Risks
Exposure of API configuration and application settings
Assistance in reconnaissance and mapping of system architecture
Increased risk of targeted attacks when combined with other vulnerabilities
Recommended Remediation
Restrict public access to API configuration files
Ensure sensitive configuration data is not exposed via public endpoints
Review server configuration to prevent information disclosure
--
All messages to this mailing list should adhere to the Code of Conduct:
https://lyrasis.org/code-of-conduct/
---
You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/d/msgid/dspace-tech/14373739-1c3b-4950-899a-74e4e5eee828%40seznam.cz.
