[GeoNode-users] Geonode security vulnerability

Simone Dalmasso simone.dalmasso at gmail.com
Tue Feb 14 02:33:20 PST 2017 

Right, good catch, giving permission to only thumbs should be enough.

2017-02-14 11:18 GMT+01:00 Alessio Fabiani <alessio.fabiani at geo-solutions.it
>:

> I guess it would be good to update also this script
>
> https://github.com/GeoNode/geonode/blob/master/package/install.sh#L109
>
>
> Best Regards,
> Alessio Fabiani.
>
> ==
> GeoServer Professional Services from the experts!
> Visit http://goo.gl/it488V for more information.
> ==
>
> Ing. Alessio Fabiani
> @alfa7691
> Founder/Technical Lead
>
> GeoSolutions S.A.S.
> Via di Montramito 3/A
> 55054  Massarosa (LU)
> Italy
> phone: +39 0584 962313 <+39%200584%20962313>
> fax:     +39 0584 1660272 <+39%200584%20166%200272>
> mob:   +39 331 6233686 <+39%20331%20623%203686>
>
> http://www.geo-solutions.it
> http://twitter.com/geosolutions_it
>
> -------------------------------------------------------
>
> *AVVERTENZE AI SENSI DEL D.Lgs. 196/2003*
>
> Le informazioni contenute in questo messaggio di posta elettronica e/o
> nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il
> loro utilizzo è consentito esclusivamente al destinatario del messaggio,
> per le finalità indicate nel messaggio stesso. Qualora riceviate questo
> messaggio senza esserne il destinatario, Vi preghiamo cortesemente di
> darcene notizia via e-mail e di procedere alla distruzione del messaggio
> stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso,
> divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od
> utilizzarlo per finalità diverse, costituisce comportamento contrario ai
> principi dettati dal D.Lgs. 196/2003.
>
>
>
> The information in this message and/or attachments, is intended solely for
> the attention and use of the named addressee(s) and may be confidential or
> proprietary in nature or covered by the provisions of privacy act
> (Legislative Decree June, 30 2003, no.196 - Italy's New Data Protection
> Code).Any use not in accord with its purpose, any disclosure, reproduction,
> copying, distribution, or either dissemination, either whole or partial, is
> strictly forbidden except previous formal approval of the named
> addressee(s). If you are not the intended recipient, please contact
> immediately the sender by telephone, fax or e-mail and delete the
> information in this message that has been received in error. The sender
> does not give any warranty or accept liability as the content, accuracy or
> completeness of sent messages and accepts no responsibility  for changes
> made after they were sent or for other risks which arise as a result of
> e-mail transmission, viruses, etc.
>
> ---------------------------------------------------------------------
>
> On Tue, Feb 14, 2017 at 12:04 AM, Jonathan Doig <j.doig at unsw.edu.au>
> wrote:
>
>> OK for consistency I’ve added those lines for uploaded/layers to the 2.4
>> manual install doco in this pull request
>> <https://github.com/GeoNode/geonode/pull/2904>.
>>
>>
>>
>> Jonathan
>>
>>
>>
>> *From:* Simone Dalmasso [mailto:simone.dalmasso at gmail.com]
>> *Sent:* Monday, 13 February 2017 11:29 PM
>> *To:* Daniel Victoria
>> *Cc:* Jonathan Doig; geonode-users at lists.osgeo.org
>>
>> *Subject:* Re: [GeoNode-users] Geonode security vulnerability
>>
>>
>>
>> Daniel, this good, we did this on master and 2.4.x as well see
>> https://github.com/GeoNode/geonode/commit/5023b5df25da4a
>> cd7854e70f59e3cecb32d3f2f2
>>
>>
>>
>> Ciao
>>
>>
>>
>> 2017-02-13 12:04 GMT+01:00 Daniel Victoria <daniel.victoria at gmail.com>:
>>
>> The geonode.conf file in my Geonode instalation (2.4) did not have those
>> lines. However, the upload/layers directory was still open to all. Looking
>> at the geonode.conf file I noticed that the uploaded/documents directory
>> was closed with the options:
>>
>> <Directory "/var/www/geonode/uploaded/documents/">
>>        Order allow,deny
>>        Deny from all
>> </Directory>
>>
>> So I repeated the same lines for the layers directory:
>>
>>
>> <Directory "/var/www/geonode/uploaded/layers/">
>>        Order allow,deny
>>        Deny from all
>> </Directory>
>>
>> Does that look ok? Or am I bound to break something? Until now,
>> everything looks fine
>>
>> Thanks
>>
>> Daniel
>>
>>
>>
>>
>>
>> On Mon, Feb 13, 2017 at 4:15 AM, Simone Dalmasso <
>> simone.dalmasso at gmail.com> wrote:
>>
>> Hi Jonathan,
>>
>>
>>
>> the change is not yet published in the packages but the 2.6 will
>> definitely contain it.
>>
>>
>>
>> Best
>>
>>
>>
>> 2017-02-13 0:28 GMT+01:00 Jonathan Doig <j.doig at unsw.edu.au>:
>>
>> I’ve tested upload at my end after the change: no impact. Also it was
>> advised (and merged to the doco) by Geonode dev Simone Dalmasso.
>>
>>
>>
>> Regards
>>
>> Jonathan
>>
>>
>>
>> *From:* Daniel Victoria [mailto:daniel.victoria at gmail.com]
>> *Sent:* Friday, 10 February 2017 11:22 PM
>> *To:* Jonathan Doig
>> *Cc:* geonode-users at lists.osgeo.org
>> *Subject:* Re: [GeoNode-users] Geonode security vulnerability
>>
>>
>>
>> Hi Jonathan,
>>
>> Thanks for the heads up. Just to be sure, by changing the geonode.conf I
>> wont break any other GeoNode funcionality?
>>
>> Cheers
>>
>> Daniel
>>
>>
>>
>> On Thu, Feb 9, 2017 at 10:10 PM, Jonathan Doig <j.doig at unsw.edu.au>
>> wrote:
>>
>> Dear all
>>
>>
>>
>> I found this issue on my own site and am passing it on as it also affects
>> a number of sites I’ve found online.
>>
>>
>>
>> The data on your Geonode site may be publicly downloadable, regardless of
>> permissions, at:
>>
>> http://<your_geonode_host>/uploaded/layers/
>>
>>
>>
>> You need to edit /etc/apache2/sites-available/geonode.conf and remove
>> the block which tells Apache to serve uploaded/layers/. It will look
>> something like this:
>>
>>
>>
>>     <Directory "/home/geonode/geonode/geonode/uploaded/layers/">
>>
>>         Order allow,deny
>>
>>         Options Indexes FollowSymLinks
>>
>>         Allow from all
>>
>>         Require all granted
>>
>>         IndexOptions FancyIndexing
>>
>>     </Directory>
>>
>>
>>
>> Then restart Apache:
>>
>>
>>
>>     sudo service apache2 restart
>>
>>
>>
>> I’ve issued a pull request <https://github.com/GeoNode/geonode/pull/2899>
>> to update the install doco
>> <http://docs.geonode.org/en/master/tutorials/install_and_admin/geonode_install/setup_configure_httpd.html#apache-configuration>.
>> As a courtesy, I’ve also contacted the admins of sites I found through a
>> “Powered by Geonode” Google search.
>>
>>
>>
>> Regards
>>
>> *Jonathan Doig*
>>
>> *Software Engineer – Spatial Systems*
>>
>> *City Futures Research Centre*
>>
>> *UNSW Built Environment *
>>
>> Level 3, Red Centre West Wing
>>
>>
>>
>> UNSW Sydney
>>
>> NSW 2052 AUSTRALIA
>>
>> T:+ 61 (2) 9385 5319 <+61%202%209385%205319> M: 0409 049185 <049%20185>
>>
>> cityfutures.net.au <http://cityfutures.be.unsw.edu.au/>
>>
>>
>> _______________________________________________
>> geonode-users mailing list
>> geonode-users at lists.osgeo.org
>> https://lists.osgeo.org/mailman/listinfo/geonode-users
>>
>>
>>
>>
>> _______________________________________________
>> geonode-users mailing list
>> geonode-users at lists.osgeo.org
>> https://lists.osgeo.org/mailman/listinfo/geonode-users
>>
>>
>>
>>
>>
>> --
>>
>> Simone
>>
>>
>>
>>
>>
>>
>>
>> --
>>
>> Simone
>>
>> _______________________________________________
>> geonode-users mailing list
>> geonode-users at lists.osgeo.org
>> https://lists.osgeo.org/mailman/listinfo/geonode-users
>>
>>
>


-- 
Simone
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/geonode-users/attachments/20170214/2c451101/attachment-0001.html>

More information about the geonode-users mailing list