Author Topic: Security Bug  (Read 3887 times)

martino87r

  • Newbie
  • *
  • Posts: 29
    • View Profile
    • Email
Security Bug
« on: February 04, 2009, 07:19:04 AM »
Well' I'm back finally! After few months focused on my exams i have now time to work on OpenGoo.

I've discovered a little security bug that allow others to access the Upload folder.
The Upload folder (opengoo/upload) can be viewed in web browser because apache allow the listing by default. Even if the content is encrypted it will be better to don't allow listing of that directory (like any other).

I've also fixed this adding a new .htaccess file forbidding listing of that directory.

ignacio

  • Hero Member
  • *****
  • Posts: 1703
    • View Profile
Re: Security Bug
« Reply #1 on: February 04, 2009, 09:57:48 AM »
You're right, we should disallow access to that folder by default.

Thanks.

r2gnl

  • Newbie
  • *
  • Posts: 6
    • View Profile
Re: Security Bug
« Reply #2 on: April 01, 2009, 01:08:24 PM »
well, I just downloaded and installed opengoo version 1.3.1, yet with a browser I can still acces all folder and view any content. Slipped through?

Regards, Remco

ignacio

  • Hero Member
  • *****
  • Posts: 1703
    • View Profile
Re: Security Bug
« Reply #3 on: April 07, 2009, 10:59:26 AM »
Are you using apache? Check if there's a .htaccess file on the upload folder. You need to have your apache configured so that you can allow overriding configuration with .htaccess files.

 

anything
anything