Bug #3368
closed
security issue with skins
Added by Shaun Walbridge almost 16 years ago.
Updated about 14 years ago.
Description
The Perl code uses configuration files to get required settings. These settings are currently being served up by Tomcat, but should instead be accessed through filehandles on disk (e.g. /var/metacat/configuration/configuration.file) in a folder not readable via the web.
Short solution for 1.8.1 release:
in registry_installtion.html, a paragraph was added to change the owner and access permission of those files. 1.9 release will come up a better solution. So move it to 1.9 release.
We changed the configuration files to be <skin-name>.cfg and restricted access to all cfg files via web.xml
Correction, we are using <skin-name>.properties files which is also protected in web.xml.
Removing all .cfg files and the protection in web.xml for them since they are no longer used.
Original Bugzilla ID was 3368
Also available in: Atom
PDF