[GeoNode-devel] Private data is publicly visible

Jonathan Doig j.doig at unsw.edu.au
Thu Feb 9 16:12:47 PST 2017


Thanks Simone for your response<https://github.com/GeoNode/geonode/issues/2896#issuecomment-278587461> on GitHub.

I've issued a pull request for a change to the manual install doco, removing the uploaded/layers block from /etc/apache2/sites-available/geonode.conf. The same may be needed for other install methods (ansible? quick install?).

There are easily discovered geonode sites out there with this vulnerability. I've emailed the admins of a number of sites I found. They need to know they should make this change, especially now that I've exposed it here :/

I've also emailed geonode-users.

Also the upgrade path for existing sites may need some specific instruction to remove this block from the Apache conf.

Regards
Jonathan

From: geonode-devel [mailto:geonode-devel-bounces at lists.osgeo.org] On Behalf Of Jonathan Doig
Sent: Thursday, 9 February 2017 12:03 PM
To: geonode-devel at lists.osgeo.org
Subject: [GeoNode-devel] Private data is publicly visible


Hi all

In Geonode 2.4, all uploaded data can be listed and downloaded from http://<host>/uploaded/layers<http://%3chost%3e/uploaded/layers> regardless of security permissions.

This seems to be by design. The installation doco<http://docs.geonode.org/en/master/tutorials/install_and_admin/geonode_install/setup_configure_httpd.html> says to make it all wide open:

sudo chmod -Rf 777 /home/geonode/geonode/geonode/uploaded/thumbs

sudo chmod -Rf 777 /home/geonode/geonode/geonode/uploaded/layers

Raised as issue 2896<https://github.com/GeoNode/geonode/issues/2896>.

Removing 'other' permission (chmod 770) breaks the upload function.

Jonathan Doig
Software Engineer - Spatial Systems
City Futures Research Centre
UNSW Built Environment
Level 3, Red Centre West Wing

UNSW Sydney
NSW 2052 AUSTRALIA
T:+ 61 (2) 9385 5319 M: 0409 049185
cityfutures.net.au<http://cityfutures.be.unsw.edu.au/>

CRICOS Provider Code 00098G

[01_PARTER LOGOS]

Follow us:

[facebookesig]<http://www.facebook.com/UNSWBE>[twitteresig]<http://twitter.com/UNSWBuiltEnv>[cid:image013.png at 01D1D83D.50C334B0]<http://instagram.com/unswbe>[Web-Google-plus-Metro-icon-esog]<http://plus.google.com/103377744913804443069>[linkedinesig]<http://www.linkedin.com/groups/UNSW-Built-Environment-6616950>[flickresig]<http://www.flickr.com/photos/unswbuiltenvironment/>[youtubeesig]<https://www.youtube.com/unswbuiltenvironment>

This email and any attachment(s) transmitted with it are intended solely for the use of the addressee(s) and may contain information that is confidential or subject to legal privilege. If you receive this email in error, please disregard the contents of the email and attachment(s), delete them and notify the sender immediately. Please note that any copying, distribution or use of this email is prohibited. Any views expressed in this message are those of the individual sender, except where the sender expressly, and with authority, states them to be the view of The University of New South Wales. Before opening any attachments, please check for viruses. UNSW ABN 57 195 873 179.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/geonode-devel/attachments/20170210/091120f6/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 47972 bytes
Desc: image001.png
URL: <http://lists.osgeo.org/pipermail/geonode-devel/attachments/20170210/091120f6/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.jpg
Type: image/jpeg
Size: 770 bytes
Desc: image002.jpg
URL: <http://lists.osgeo.org/pipermail/geonode-devel/attachments/20170210/091120f6/attachment-0006.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.jpg
Type: image/jpeg
Size: 752 bytes
Desc: image003.jpg
URL: <http://lists.osgeo.org/pipermail/geonode-devel/attachments/20170210/091120f6/attachment-0007.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 1425 bytes
Desc: image004.png
URL: <http://lists.osgeo.org/pipermail/geonode-devel/attachments/20170210/091120f6/attachment-0003.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image005.jpg
Type: image/jpeg
Size: 838 bytes
Desc: image005.jpg
URL: <http://lists.osgeo.org/pipermail/geonode-devel/attachments/20170210/091120f6/attachment-0008.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image006.jpg
Type: image/jpeg
Size: 823 bytes
Desc: image006.jpg
URL: <http://lists.osgeo.org/pipermail/geonode-devel/attachments/20170210/091120f6/attachment-0009.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image007.jpg
Type: image/jpeg
Size: 857 bytes
Desc: image007.jpg
URL: <http://lists.osgeo.org/pipermail/geonode-devel/attachments/20170210/091120f6/attachment-0010.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image008.jpg
Type: image/jpeg
Size: 836 bytes
Desc: image008.jpg
URL: <http://lists.osgeo.org/pipermail/geonode-devel/attachments/20170210/091120f6/attachment-0011.jpg>


More information about the geonode-devel mailing list