View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0000417 | Main CAcert Website | website content | public | 2007-02-26 04:38 | 2013-01-14 21:28 |
Reporter | hanno | Assigned To | Sourcerer | ||
Priority | normal | Severity | minor | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Fixed in Version | 2007 | ||||
Summary | 0000417: http://www.cacert.org/docs/ shows directory listing | ||||
Description | http://www.cacert.org/docs/ shows an apache directory listing. Most probably not the way it should be. BTW, especially for a highsecurity-site like cacert, it's probably a good idea to turn indexes off in the apache config. | ||||
Tags | No tags attached. | ||||
Reviewed by | |||||
Test Instructions | |||||
|
Why is this an issue security or otherwise? |
|
Well maybe you should ask the people who visited the CAcert meeting what they think about getting watched at http://cacert.org/docs/wth-cacert-pgp-keysigning-party-111.mp4. It is simple a bad behaviour to offer directory listings for people who are looking for information, especially for those who are looking for the CPS document, which should be there as mentioned at the new client certificate request form (https://www.cacert.org/account.php?id=3). |
|
<ascii`> https://bugs.cacert.org/view.php?id=417 <-- can be solved with an .htaccess with Options -Indexes -FollowSymLinks depending on the AllowOverride of the father <ascii`> prabably it's good to disable directory listing system wide <ascii`> in apache.conf/httpd.conf inside the <Directory /> section <udontknow> sourcerer: test1 time :P <sourcerer> As far as I understood Duane, the directory listing was intentional <udontknow> sourcerer: for docs/ <udontknow> sourcerer: or what? <ascii`> okay lets' just check that the default value is -Indexes <sourcerer> Yes, the /docs directory listing was intentional, I think <sourcerer> I changed it to -Indexes now this bug is now resolved |
|
Please undo these changes there are numerous files in that directory that isn't linked to by other pages, this directory was intensionally left viewable for a reason and now it's broken. Not to mention this change was pointless since the same files are in the source file tar ball. |
Date Modified | Username | Field | Change |
---|---|---|---|
2007-02-26 04:38 | hanno | New Issue | |
2007-02-26 16:44 | duane | Note Added: 0000808 | |
2007-03-20 10:56 | beastie | Note Added: 0000817 | |
2007-03-27 19:51 | ascii | Note Added: 0000823 | |
2007-03-27 19:52 | ascii | Status | new => closed |
2007-03-27 19:52 | ascii | Resolution | open => fixed |
2007-03-30 10:30 | duane | Note Added: 0000830 | |
2007-03-30 10:31 | duane | Assigned To | => Sourcerer |
2007-03-30 10:31 | duane | Status | closed => needs work |
2007-03-30 10:32 | duane | Resolution | fixed => open |
2007-03-30 10:34 | duane | Note Edited: 0000830 | |
2007-07-30 21:12 | Sourcerer | Status | needs work => closed |
2007-07-30 21:12 | Sourcerer | Resolution | open => fixed |
2013-01-14 21:28 | Werner Dworak | Fixed in Version | => 2007 |