You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Linshare docker use default Apache configuration. The httpd.conf of the repo seems to not be used.
Linshare code is downloaded into default htdocs folder which allow Indexes and FollowSymLinks in Apache configuration. So we have some directory listing vulnerabilities, at least on these URLs :
/config/
/css/
/js/
Note that same URLs are impacted on linshare-ui-user-dockerfile.
A directory listing have a default CVSS score of 5.3, which is too high for some security certifications. We are able to justify that the vulnerability is less important but it is preferable to fix it.
On our instance, I fixed it by adding following command to the Dockerfile in order to remove unwanted options : sed -i '/Options Indexes FollowSymLinks/d' /usr/local/apache2/conf/httpd.conf
If you agree with this fix, I can do a PR on both repositories.
May be a refactoring of the dockerfile is needed in order to be able to push a custom Apache configuration.
The text was updated successfully, but these errors were encountered:
Hi,
Linshare docker use default Apache configuration. The httpd.conf of the repo seems to not be used.
Linshare code is downloaded into default htdocs folder which allow Indexes and FollowSymLinks in Apache configuration. So we have some directory listing vulnerabilities, at least on these URLs :
Note that same URLs are impacted on linshare-ui-user-dockerfile.
A directory listing have a default CVSS score of 5.3, which is too high for some security certifications. We are able to justify that the vulnerability is less important but it is preferable to fix it.
On our instance, I fixed it by adding following command to the Dockerfile in order to remove unwanted options :
sed -i '/Options Indexes FollowSymLinks/d' /usr/local/apache2/conf/httpd.confIf you agree with this fix, I can do a PR on both repositories.
May be a refactoring of the dockerfile is needed in order to be able to push a custom Apache configuration.
The text was updated successfully, but these errors were encountered: