On 9/20/2011 10:18 AM, greg whynott wrote: > Hello, > > I'm sure this is known about, but i noticed if you access urls directly > on the pfsense box, you can by pass AAA (when using local db at least). > > for example, loading: > > http://10.111.23.1/lightsquid/index.cgi > > will take you to the reports page without being prompted for credentials.
That is known. Packages that do not include the PHP headers from pfSense in such pages are not protected by the auth. Bits in the base system are protected of course. Also non-PHP items like images, icons, etc, are also accessible. It's always been that way. There is a ticket, I believe, to improve such handling in lighttpd to protect certain package directories with basic http auth but as far as I know, nobody has done any real work in that area on making it work in a general way for all packages to use. Another similar item of note is that packages don't currently hook into the privilege system so you can't really specify a user to have access to just one package. Jim _______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
