Author: rmeggins
Update of /cvs/dirsec/adminserver/admserv/cfgstuff In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv7894/adminserver/admserv/cfgstuff
Modified Files: Tag: Directory_Server_8_0_Branch admserv.conf.in Log Message: Resolves: bugs 437301 and 437320 Description: Directory Server: shell command injection in CGI replication monitor Directory Server: unrestricted access to CGI scripts Fix Description: remove ScriptAlias for bin/admin/admin/bin - do not use that directory for CGI URIs - use only protected URIs for CGIs requiring authentication Remove most CGI parameters from repl-monitor-cgi.pl - user must supply replmon.conf in the admin server config directory instead of passing in this pathname - repl-monitor-cgi.pl does not use system to call repl-monitor.pl, it "includes" that script (using perl import). Platforms tested: all supported platforms Flag Day: no Doc impact: release notes are available
Index: admserv.conf.in =================================================================== RCS file: /cvs/dirsec/adminserver/admserv/cfgstuff/admserv.conf.in,v retrieving revision 1.10 retrieving revision 1.10.2.1 diff -u -r1.10 -r1.10.2.1 --- admserv.conf.in 7 Dec 2007 17:43:50 -0000 1.10 +++ admserv.conf.in 15 Apr 2008 16:44:35 -0000 1.10.2.1 @@ -25,7 +25,6 @@ ADMServerVersionString "@capbrand@-Administrator/@PACKAGE_VERSION@" ADMConfigDir "@configdir@"
-ScriptAlias /bin/admin/admin/bin/ "@cgibindir@/" ScriptAlias /dist/ "@cgibindir@/" ScriptAlias /manual/help/ "@cgibindir@/"
@@ -63,7 +62,7 @@
# remap / requests to the download CGI RewriteEngine on -RewriteRule ^/$ /bin/admin/admin/bin/download [R,L,QSA] +RewriteRule ^/$ /dist/download [R,L,QSA]
# remap admin server icons Alias /admin-serv/tasks/icons/ @icondir@/
389-commits@lists.fedoraproject.org