[rancid] Re: No Password required to read Configs.
Dan_Mitton at YMP.GOV
Dan_Mitton at YMP.GOV
Thu Apr 8 16:43:42 UTC 2010
Nicky,
What OS are we talking about? The easy answer is to remove cvsweb.cgi,
but if you don't want to do that, make sure that your web server and
rancid processes run with separate user id's and that the two can not read
each others files.
Dan
Sent by: rancid-discuss-bounces at shrubbery.net
To: rancid-discuss at shrubbery.net
cc: (bcc: Dan Mitton/YD/RWDOE)
Subject: [rancid] No Password required to read Configs.
LSN: Not Relevant - Not Privileged
User Filed as: Excl/AdminMgmt-14-4/QA:N/A
Hi All,
We have a Rancid installation on an internal IP. Everything is pretty
much default and only our Cisco devices are managed through Rancid. I
just noticed a truck sized hole in my config however.
If you enter http://192.168.32.2/cgi-bin/cvsweb.cgi/ on your browser,
you can access the config files for all our devices without a password.
I have limited the IPs which can reach port 80 but that is far from
enough. What must I change to protect this data? Is there a howto? Did
I miss a section of the installation manual?
Nicky._______________________________________________
Rancid-discuss mailing list
Rancid-discuss at shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20100408/816a3091/attachment.html
More information about the Rancid-discuss
mailing list