[request-tracker-maintainers] Bug#476269: default apache config should limit REST requests
Arthur de Jong
arthur at west.nl
Tue Apr 15 13:42:06 UTC 2008
Subject: default apache config should limit REST requests
Package: rt3.6-apache2
Version: 3.6.1-4
Severity: normal
File: /etc/request-tracker3.6/apache2-modperl2.conf
Tags: security
The default installation of request tracker ships with sample config
files for Apache that are missing an important directive that may be
unnoticed. A part of the web interface is used for inserting email into
the system (this is used by rt-mailgate).
I came across this in the RT wiki:
http://wiki.bestpractical.com/view/MailGatewayAccessControl
Basically the following should be included by default:
<Location /REST/1.0/NoAuth>
Order Allow,Deny
Allow from 127.0.0.1
</Location>
or maybe the following to follow the installation under /rt:
<Location /rt/REST/1.0/NoAuth>
Order Allow,Deny
Allow from 127.0.0.1
</Location>
Giving direct access to the REST interface allows users to bypass mail
filtering rules.
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (500, 'stable'), (60, 'testing')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-6-686
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Versions of packages rt3.6-apache2 depends on:
ii apache2 2.2.3-4+etch4 Next generation, scalable, extenda
ii apache2-mpm-prefork [apach 2.2.3-4+etch4 Traditional model for Apache HTTPD
ii libapache-dbi-perl 1.04-0.1 Connect apache server to database
ii libapache2-mod-perl2 2.0.2-2.4 Integration of perl with the Apach
rt3.6-apache2 recommends no packages.
-- no debconf information
--
-- arthur de jong - arthur at west.nl - west consulting b.v. --
More information about the pkg-request-tracker-maintainers
mailing list