[GeoNode-devel] Private data is publicly visible

Jeffrey Johnson ortelius at gmail.com
Fri Feb 10 07:30:34 PST 2017 

Note the PR only changes the documentation. We need to make sure this is
taken care of in the debian packages and the ansible.

On Fri, Feb 10, 2017 at 1:07 AM, Simone Dalmasso <simone.dalmasso at gmail.com>
wrote:

> Thank you for the PR and the report,
>
> we will also check the package status and update it accordingly if needed.
>
> Ciao!
>
> 2017-02-10 1:12 GMT+01:00 Jonathan Doig <j.doig at unsw.edu.au>:
>
>> Thanks Simone for your response
>> <https://github.com/GeoNode/geonode/issues/2896#issuecomment-278587461>
>> on GitHub.
>>
>>
>>
>> I’ve issued a pull request for a change to the manual install doco,
>> removing the uploaded/layers block from /etc/apache2/sites-available/geonode.conf.
>> The same may be needed for other install methods (ansible? quick install?).
>>
>>
>>
>> There are easily discovered geonode sites out there with this
>> vulnerability. I’ve emailed the admins of a number of sites I found. They
>> need to know they should make this change, especially now that I’ve exposed
>> it here :/
>>
>>
>>
>> I’ve also emailed geonode-users.
>>
>>
>>
>> Also the upgrade path for existing sites may need some specific
>> instruction to remove this block from the Apache conf.
>>
>>
>>
>> Regards
>>
>> Jonathan
>>
>>
>>
>> *From:* geonode-devel [mailto:geonode-devel-bounces at lists.osgeo.org] *On
>> Behalf Of *Jonathan Doig
>> *Sent:* Thursday, 9 February 2017 12:03 PM
>> *To:* geonode-devel at lists.osgeo.org
>> *Subject:* [GeoNode-devel] Private data is publicly visible
>>
>>
>>
>> Hi all
>>
>> In Geonode 2.4, all uploaded data can be listed and downloaded from
>> http://<host>/uploaded/layers regardless of security permissions.
>>
>> This seems to be by design. The installation doco
>> <http://docs.geonode.org/en/master/tutorials/install_and_admin/geonode_install/setup_configure_httpd.html>
>>  says to make it all wide open:
>>
>> sudo chmod -Rf 777 /home/geonode/geonode/geonode/uploaded/thumbs
>>
>> sudo chmod -Rf 777 /home/geonode/geonode/geonode/uploaded/layers
>>
>>
>>
>> Raised as issue 2896 <https://github.com/GeoNode/geonode/issues/2896>.
>>
>>
>>
>> Removing ‘other’ permission (chmod 770) breaks the upload function.
>>
>>
>>
>> *Jonathan Doig*
>>
>> *Software Engineer – Spatial Systems*
>>
>> *City Futures Research Centre*
>>
>> *UNSW Built Environment *
>>
>> Level 3, Red Centre West Wing
>>
>>
>>
>> UNSW Sydney
>>
>> NSW 2052 AUSTRALIA
>>
>> T:+ 61 (2) 9385 5319 <+61%202%209385%205319> M: 0409 049185
>>
>> cityfutures.net.au <http://cityfutures.be.unsw.edu.au/>
>>
>>
>>
>> CRICOS Provider Code 00098G
>>
>>
>>
>> [image: 01_PARTER LOGOS]
>>
>>
>>
>> Follow us:
>>
>>
>>
>> [image: facebookesig] <http://www.facebook.com/UNSWBE>[image:
>> twitteresig] <http://twitter.com/UNSWBuiltEnv>[image:
>> cid:image013.png at 01D1D83D.50C334B0] <http://instagram.com/unswbe>[image:
>> Web-Google-plus-Metro-icon-esog]
>> <http://plus.google.com/103377744913804443069>[image: linkedinesig]
>> <http://www.linkedin.com/groups/UNSW-Built-Environment-6616950>[image:
>> flickresig] <http://www.flickr.com/photos/unswbuiltenvironment/>[image:
>> youtubeesig] <https://www.youtube.com/unswbuiltenvironment>
>>
>>
>>
>> This email and any attachment(s) transmitted with it are intended solely
>> for the use of the addressee(s) and may contain information that is
>> confidential or subject to legal privilege. If you receive this email in
>> error, please disregard the contents of the email and attachment(s), delete
>> them and notify the sender immediately. Please note that any copying,
>> distribution or use of this email is prohibited. Any views expressed in
>> this message are those of the individual sender, except where the sender
>> expressly, and with authority, states them to be the view of The University
>> of New South Wales. Before opening any attachments, please check for
>> viruses. UNSW ABN 57 195 873 179.
>>
>>
>>
>> _______________________________________________
>> geonode-devel mailing list
>> geonode-devel at lists.osgeo.org
>> https://lists.osgeo.org/mailman/listinfo/geonode-devel
>>
>>
>
>
> --
> Simone
>
> _______________________________________________
> geonode-devel mailing list
> geonode-devel at lists.osgeo.org
> https://lists.osgeo.org/mailman/listinfo/geonode-devel
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/geonode-devel/attachments/20170210/842bf28e/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.jpg
Type: image/jpeg
Size: 752 bytes
Desc: not available
URL: <http://lists.osgeo.org/pipermail/geonode-devel/attachments/20170210/842bf28e/attachment-0006.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.jpg
Type: image/jpeg
Size: 770 bytes
Desc: not available
URL: <http://lists.osgeo.org/pipermail/geonode-devel/attachments/20170210/842bf28e/attachment-0007.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image007.jpg
Type: image/jpeg
Size: 857 bytes
Desc: not available
URL: <http://lists.osgeo.org/pipermail/geonode-devel/attachments/20170210/842bf28e/attachment-0008.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 47972 bytes
Desc: not available
URL: <http://lists.osgeo.org/pipermail/geonode-devel/attachments/20170210/842bf28e/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 1425 bytes
Desc: not available
URL: <http://lists.osgeo.org/pipermail/geonode-devel/attachments/20170210/842bf28e/attachment-0003.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image005.jpg
Type: image/jpeg
Size: 838 bytes
Desc: not available
URL: <http://lists.osgeo.org/pipermail/geonode-devel/attachments/20170210/842bf28e/attachment-0009.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image006.jpg
Type: image/jpeg
Size: 823 bytes
Desc: not available
URL: <http://lists.osgeo.org/pipermail/geonode-devel/attachments/20170210/842bf28e/attachment-0010.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image008.jpg
Type: image/jpeg
Size: 836 bytes
Desc: not available
URL: <http://lists.osgeo.org/pipermail/geonode-devel/attachments/20170210/842bf28e/attachment-0011.jpg>

More information about the geonode-devel mailing list