You are not logged in.

Announcement

 Téléchargez la dernière version stable de GLPI      -     Et vous, que pouvez vous faire pour le projet GLPI ? :  Contribuer
 Download last stable version of GLPI                      -     What can you do for GLPI ? :  Contribute

#1 2018-09-14 09:20:35

danielmjmarques
Guest
Registered: 2018-09-14
Posts: 1

Update 9.3.0 to 9.3.1 - Security Failure

First of all, sorry for my poor English.

After upgrading my system to version 9.3.1 (before I used it to 9.3.0), I realized that the system released access to documents without any control.

I can say that with my experience in Linux and GLPI, I would never leave anything set to use 777 in files or folders.

I returned the version and the problem stopped.

To validate a failure, one must access the address http: //IP_SERVIDOR/front/document.send.php?Docid=351 (since this case is an example).

I hope it helps the community to check the problem. I apologize for my mistake if the team sees that there is a security breach in the application.



pt_BR - Version

Primeiramente, desculpe pelo meu péssimo inglês.

Após atualizar meu sistema para a versão 9.3.1 (antes eu usava para 9.3.0), percebi que o sistema liberava acesso aos documentos sem controle algum.

Posso afirmar que com minha experiência em Linux e GLPI, jamais eu deixaria algo setado para usar 777 nos arquivos ou pastas.

Eu retornei a versão e o problema parou.

Para validar uma falha, deve-se acessar o endereço http: //IP_SERVIDOR/front/document.send.php? Docid = 351 (desde que este caso é um exemplo).

Espero que ajude a comunidade a verificar o problema. Eu peço desculpas pelo meu equivoco caso a equipe veja que haja falha de segurança na aplicação.

Att Daniel Marques

Last edited by danielmjmarques (2018-09-14 09:25:03)

Offline

#2 2018-09-17 08:35:06

orthagh
Administrator
From: TECLIB - CAEN
Registered: 2010-11-30
Posts: 561
Website

Re: Update 9.3.0 to 9.3.1 - Security Failure

By default, the release archive set 775 on files folder. we checked twice to be sure.
This files folder doesn't need to be open on http port, and so the check in update/install process is here to warn the admin he could have security issue regarding the current configuration.

So no breach in glpi, just a bad setup on your side.

Offline

Board footer

Powered by FluxBB