[GeoNode-users] Geonode security vulnerability
Daniel Victoria
daniel.victoria at gmail.com
Mon Feb 13 03:04:48 PST 2017
The geonode.conf file in my Geonode instalation (2.4) did not have those
lines. However, the upload/layers directory was still open to all. Looking
at the geonode.conf file I noticed that the uploaded/documents directory
was closed with the options:
<Directory "/var/www/geonode/uploaded/documents/">
Order allow,deny
Deny from all
</Directory>
So I repeated the same lines for the layers directory:
<Directory "/var/www/geonode/uploaded/layers/">
Order allow,deny
Deny from all
</Directory>
Does that look ok? Or am I bound to break something? Until now, everything
looks fine
Thanks
Daniel
On Mon, Feb 13, 2017 at 4:15 AM, Simone Dalmasso <simone.dalmasso at gmail.com>
wrote:
> Hi Jonathan,
>
> the change is not yet published in the packages but the 2.6 will
> definitely contain it.
>
> Best
>
> 2017-02-13 0:28 GMT+01:00 Jonathan Doig <j.doig at unsw.edu.au>:
>
>> I’ve tested upload at my end after the change: no impact. Also it was
>> advised (and merged to the doco) by Geonode dev Simone Dalmasso.
>>
>>
>>
>> Regards
>>
>> Jonathan
>>
>>
>>
>> *From:* Daniel Victoria [mailto:daniel.victoria at gmail.com]
>> *Sent:* Friday, 10 February 2017 11:22 PM
>> *To:* Jonathan Doig
>> *Cc:* geonode-users at lists.osgeo.org
>> *Subject:* Re: [GeoNode-users] Geonode security vulnerability
>>
>>
>>
>> Hi Jonathan,
>>
>> Thanks for the heads up. Just to be sure, by changing the geonode.conf I
>> wont break any other GeoNode funcionality?
>>
>> Cheers
>>
>> Daniel
>>
>>
>>
>> On Thu, Feb 9, 2017 at 10:10 PM, Jonathan Doig <j.doig at unsw.edu.au>
>> wrote:
>>
>> Dear all
>>
>>
>>
>> I found this issue on my own site and am passing it on as it also affects
>> a number of sites I’ve found online.
>>
>>
>>
>> The data on your Geonode site may be publicly downloadable, regardless of
>> permissions, at:
>>
>> http://<your_geonode_host>/uploaded/layers/
>>
>>
>>
>> You need to edit /etc/apache2/sites-available/geonode.conf and remove
>> the block which tells Apache to serve uploaded/layers/. It will look
>> something like this:
>>
>>
>>
>> <Directory "/home/geonode/geonode/geonode/uploaded/layers/">
>>
>> Order allow,deny
>>
>> Options Indexes FollowSymLinks
>>
>> Allow from all
>>
>> Require all granted
>>
>> IndexOptions FancyIndexing
>>
>> </Directory>
>>
>>
>>
>> Then restart Apache:
>>
>>
>>
>> sudo service apache2 restart
>>
>>
>>
>> I’ve issued a pull request <https://github.com/GeoNode/geonode/pull/2899>
>> to update the install doco
>> <http://docs.geonode.org/en/master/tutorials/install_and_admin/geonode_install/setup_configure_httpd.html#apache-configuration>.
>> As a courtesy, I’ve also contacted the admins of sites I found through a
>> “Powered by Geonode” Google search.
>>
>>
>>
>> Regards
>>
>> *Jonathan Doig*
>>
>> *Software Engineer – Spatial Systems*
>>
>> *City Futures Research Centre*
>>
>> *UNSW Built Environment *
>>
>> Level 3, Red Centre West Wing
>>
>>
>>
>> UNSW Sydney
>>
>> NSW 2052 AUSTRALIA
>>
>> T:+ 61 (2) 9385 5319 <+61%202%209385%205319> M: 0409 049185
>>
>> cityfutures.net.au <http://cityfutures.be.unsw.edu.au/>
>>
>>
>> _______________________________________________
>> geonode-users mailing list
>> geonode-users at lists.osgeo.org
>> https://lists.osgeo.org/mailman/listinfo/geonode-users
>>
>>
>>
>> _______________________________________________
>> geonode-users mailing list
>> geonode-users at lists.osgeo.org
>> https://lists.osgeo.org/mailman/listinfo/geonode-users
>>
>>
>
>
> --
> Simone
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/geonode-users/attachments/20170213/c7f2332a/attachment.html>
More information about the geonode-users
mailing list