Bugs item #1567943, was opened at 2006-09-29 13:41 Message generated for change (Comment added) made by mikeruelle You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=446895&aid=1567943&group_id=46652
Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: 1.5.x svn Status: Open Resolution: None Priority: 5 Submitted By: John Molohan (johnmolohan) Assigned to: Nobody/Anonymous (nobody) Summary: Webserver: security issue, system wide root access Initial Comment: >From a posting to the devel list a while back this still applies to current svn. If it can't be patched then a massive warning should go into local_conf.py. Hi all, I recently found some security issues within the internal webserver of freevo that might be worth considuring, as the webserver can accsess all the files on a system that the user of the webserver process would (hopefully not root). Just try it out and type http://yourserver/library.rpy/etc/passwd or whatever. I think, the webserver should be restricted to access only files underneath certain directories (at least one). Greetings and keep on coding such good stuff, Andreas ---------------------------------------------------------------------- Comment By: Michael Ruelle (mikeruelle) Date: 2006-09-29 14:39 Message: Logged In: YES user_id=849534 I think this mainly comes about when someone sets / as one of their items. we prolly want to just put in a thing to always disallow /etc and maybe a few other files. There is code in the library.py to make sure all files requested are below one of the items directories. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=446895&aid=1567943&group_id=46652 ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Freevo-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/freevo-devel
