http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6648
Bug #: 6648
Summary: insecure /cgi-bin/koha/ (of staff part) mapping in
development mode of installation
Classification: Unclassified
Change sponsored?: ---
Product: Koha
Version: unspecified
Platform: All
OS/Version: All
Status: NEW
Severity: enhancement
Priority: P5
Component: Architecture, internals, and plumbing
AssignedTo: [email protected]
ReportedBy: [email protected]
QAContact: [email protected]
This issue is between security issue and enhancement... the problem occurs only
in 'dev' installation of koha (but it is common).
When a installation is done in 'dev' mode, the ScriptAlias in apache for the
'intranet' is the git repository in entire.
In result, any file that could be executed may be launched by any user from
http://intranet/cgi-bin/koha/... The file are run without arguments.
The problem is important for scripts like cronjobs, that are generally
resource-consuming and run without arguments.
Others scripts that do more evil think may also exist...
As Makefile.PL know with directories (or files) should be acceded, an htacess
should be generated for here in order to allow only 'INTRANET_CGI_DIR' and
'INTRANET_TMPL_DIR'.
--
Configure bugmail:
http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA Contact for the bug.
_______________________________________________
Koha-bugs mailing list
[email protected]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
