Light infodisclosure issue #4816
Comments
|
Comment by @thomascube on 6 May 2015 06:29 UTC The Roundcube package already comes with a .htaccess file to protect certain locations such as logs and temp directories. We also hint to protect these locations in our [wiki:Howto_Install] page. A specific .htaccess file in the logs folder could indeed be added to protect it in case the rewrite rules do not work as intended. |
|
Milestone changed by @thomascube on 6 May 2015 06:47 UTC later => 1.1.2 |
|
Comment by adprotas on 6 May 2015 07:00 UTC Interesting. The .htaccess didn't seem to apply to my installation on Ubuntu 14.04.1. I'll try to investigate to see why this wasn't the case for our installation and report back. |
|
Comment by adprotas on 6 May 2015 07:12 UTC Confirmed that my Ubuntu installation was not picking up the .htaccess file. Fixed and you can close this issue. Sorry. |
|
Comment by @thomascube on 6 May 2015 08:02 UTC If it didn't apply to your default installation and you didn't notice the instructions, we should probably try to improve this on our side or at least raise the awareness of protecting certain resources. Therefore keeping the ticket open. |
|
Comment by @alecpl on 6 May 2015 08:27 UTC @adprotas: .htaccess didn't apply at all or only the rewrite rules? Because if .htaccess didn't work at all, putting a separate file in the temp directory wouldn't help here anyway. I suppose we should just add SECURING section to INSTALL file (or extend the INSTALLATION section). |
|
Comment by @thomascube on 6 May 2015 09:29 UTC Replying to alec:
Those separate files don't need to do rewrite rules but just a generic
I'm just about to write this section. |
|
Status changed by @thomascube on 6 May 2015 09:29 UTC new => assigned |
|
Owner changed by @thomascube on 6 May 2015 09:29 UTC => thomasb |
|
Comment by @alecpl on 6 May 2015 09:44 UTC Replying to thomasb:
Sure, but the main .htaccess file does it using rewrites. That's why my question. |
|
Comment by @thomascube on 7 May 2015 09:03 UTC
|
|
Status changed by @thomascube on 7 May 2015 09:03 UTC assigned => closed |
|
Comment by @thomascube on 7 May 2015 09:33 UTC Backported to release-1.1 in 16640c7 |
Reported by adprotas on 5 May 2015 19:46 UTC as Trac ticket #1490378
The logs directory is not protected from browsing. Most log entries are not bad, but one became evident on my host that was pretty nasty.
It looked like the following:
I obfuscated the sensitive fields, but this would be enough for a non-credential user to view the file (via the webroot/logs/errors file), and then replace their own cookies with the entry from above to log in as a user that was listed there.
This seems to be a very rare occurrence, but considering that other SQL/other actions might report other sensitive data into this file, it might be worth automatically protecting this directory with an .htaccess file, or prepending a php tag to avoid overt reading by any unauthenticated user.
Migrated-From: http://trac.roundcube.net/ticket/1490378
The text was updated successfully, but these errors were encountered: