Bug #32874 security: deny an access to setup, upgrade and cli scripts
Submitted: 30 Nov 2007 12:07 Modified: 14 Dec 2010 12:07
Reporter: Andrejs Dubovskis Email Updates:
Status: Won't fix Impact on me:
None 
Category:Eventum Severity:S4 (Feature request)
Version:2.1.1 OS:Any
Assigned to: CPU Architecture:Any

[30 Nov 2007 12:07] Andrejs Dubovskis 
Description:
When upgrade is done it is good idea to disable a HTTP access to the misc directory for security reasons. It contains upgrade scripts and CLI scripts only. But blank.html lives here and is in use.
It should be moved out of misc directory.

How to repeat:
cat > misc/.htaccess <<EOF
order deny,allow
deny from all
EOF

Open reports in the Events

Suggested fix:
--- index.tpl.html      2006-04-07 07:22:25.000000000 +0300
+++ index.tpl.html.new  2007-11-30 14:05:27.000000000 +0200
@@ -7,8 +7,8 @@
   <frame name="_topframe" src="top.php" marginwidth="0" marginheight="0" scrolling="no" frameborder="0" framespacing="0">
   <frameset cols="225,*" frameborder="1" framespacing="6" topmargin="0" leftmargin="0" marginheight="0" marginwidth="0" border="8" bordercolor="{$light_color}">
     <frame name="_treeframe" src="tree.php" scrolling="no" topmargin="10" leftmargin="10" marginheight="10" marginwidth="10" frameborder="1" border="0">
-    <frame name="basefrm" src="{$rel_url}misc/blank.html" scrolling="auto" topmargin="15" leftmargin="15" marginheight="15" marginwidth="15" frameborder="1" border="0">
+    <frame name="basefrm" src="{$rel_url}/blank.html" scrolling="auto" topmargin="15" leftmargin="15" marginheight="15" marginwidth="15" frameborder="1" border="0">
   </frameset>
 </frameset>
[13 Jan 2008 14:06] Andrejs Dubovskis 
in general, an access to all setup/upgrade/cli scripts should be closed by default  because of security reason
[14 Dec 2010 12:07] Valeriy Kravchuk 
As Oracle no longer sponsors or coordinates active development of the Eventum software, interested parties should report bugs/feature requests at https://bugs.launchpad.net/eventum