From: Peter Müller <peter.mueller@link38.eu>
Date: Sun, 3 Sep 2017 14:14:53 +0000 (+0200)
Subject: fix WebUI system information leak
X-Git-Tag: v2.19-core114~1^2~15
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0effbb3569624f42550310689aaf94d726cd9d0e;p=ipfire-2.x.git

fix WebUI system information leak

Disable unauthenticated access to cgi-bin/credits.cgi. The page
leaks the currently installed version of IPFire and the hardware
architecture.

Both information might make a successful attack much easier.

This issue can be reproduced by accessing https://[IPFire-IP]:444/cgi-bin/credits.cgi
and accepting a SSL certificate warning (if any).

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
index daac75742d..4897d56d28 100644
--- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
+++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
@@ -42,10 +42,6 @@
             Satisfy Any
             Allow from All
         </Files>
-        <Files credits.cgi>
-            Satisfy Any
-            Allow from All
-        </Files>
         <Files dial.cgi>
             Require user admin
         </Files>
diff --git a/config/httpd/vhosts.d/ipfire-interface.conf b/config/httpd/vhosts.d/ipfire-interface.conf
index 8783c632bb..c7c05972ed 100644
--- a/config/httpd/vhosts.d/ipfire-interface.conf
+++ b/config/httpd/vhosts.d/ipfire-interface.conf
@@ -34,10 +34,6 @@
             Satisfy Any
             Allow from All
         </Files>
-        <Files credits.cgi>
-            Satisfy Any
-            Allow from All
-        </Files>
         <Files dial.cgi>
             Require user admin
         </Files>