[GeoNode-devel] Private data is publicly visible

Simone Dalmasso simone.dalmasso at gmail.com
Fri Feb 10 01:07:29 PST 2017


Thank you for the PR and the report,

we will also check the package status and update it accordingly if needed.

Ciao!

2017-02-10 1:12 GMT+01:00 Jonathan Doig <j.doig at unsw.edu.au>:

> Thanks Simone for your response
> <https://github.com/GeoNode/geonode/issues/2896#issuecomment-278587461>
> on GitHub.
>
>
>
> I’ve issued a pull request for a change to the manual install doco,
> removing the uploaded/layers block from /etc/apache2/sites-available/geonode.conf.
> The same may be needed for other install methods (ansible? quick install?).
>
>
>
> There are easily discovered geonode sites out there with this
> vulnerability. I’ve emailed the admins of a number of sites I found. They
> need to know they should make this change, especially now that I’ve exposed
> it here :/
>
>
>
> I’ve also emailed geonode-users.
>
>
>
> Also the upgrade path for existing sites may need some specific
> instruction to remove this block from the Apache conf.
>
>
>
> Regards
>
> Jonathan
>
>
>
> *From:* geonode-devel [mailto:geonode-devel-bounces at lists.osgeo.org] *On
> Behalf Of *Jonathan Doig
> *Sent:* Thursday, 9 February 2017 12:03 PM
> *To:* geonode-devel at lists.osgeo.org
> *Subject:* [GeoNode-devel] Private data is publicly visible
>
>
>
> Hi all
>
> In Geonode 2.4, all uploaded data can be listed and downloaded from
> http://<host>/uploaded/layers regardless of security permissions.
>
> This seems to be by design. The installation doco
> <http://docs.geonode.org/en/master/tutorials/install_and_admin/geonode_install/setup_configure_httpd.html>
>  says to make it all wide open:
>
> sudo chmod -Rf 777 /home/geonode/geonode/geonode/uploaded/thumbs
>
> sudo chmod -Rf 777 /home/geonode/geonode/geonode/uploaded/layers
>
>
>
> Raised as issue 2896 <https://github.com/GeoNode/geonode/issues/2896>.
>
>
>
> Removing ‘other’ permission (chmod 770) breaks the upload function.
>
>
>
> *Jonathan Doig*
>
> *Software Engineer – Spatial Systems*
>
> *City Futures Research Centre*
>
> *UNSW Built Environment *
>
> Level 3, Red Centre West Wing
>
>
>
> UNSW Sydney
>
> NSW 2052 AUSTRALIA
>
> T:+ 61 (2) 9385 5319 <+61%202%209385%205319> M: 0409 049185
>
> cityfutures.net.au <http://cityfutures.be.unsw.edu.au/>
>
>
>
> CRICOS Provider Code 00098G
>
>
>
> [image: 01_PARTER LOGOS]
>
>
>
> Follow us:
>
>
>
> [image: facebookesig] <http://www.facebook.com/UNSWBE>[image: twitteresig]
> <http://twitter.com/UNSWBuiltEnv>[image:
> cid:image013.png at 01D1D83D.50C334B0] <http://instagram.com/unswbe>[image:
> Web-Google-plus-Metro-icon-esog]
> <http://plus.google.com/103377744913804443069>[image: linkedinesig]
> <http://www.linkedin.com/groups/UNSW-Built-Environment-6616950>[image:
> flickresig] <http://www.flickr.com/photos/unswbuiltenvironment/>[image:
> youtubeesig] <https://www.youtube.com/unswbuiltenvironment>
>
>
>
> This email and any attachment(s) transmitted with it are intended solely
> for the use of the addressee(s) and may contain information that is
> confidential or subject to legal privilege. If you receive this email in
> error, please disregard the contents of the email and attachment(s), delete
> them and notify the sender immediately. Please note that any copying,
> distribution or use of this email is prohibited. Any views expressed in
> this message are those of the individual sender, except where the sender
> expressly, and with authority, states them to be the view of The University
> of New South Wales. Before opening any attachments, please check for
> viruses. UNSW ABN 57 195 873 179.
>
>
>
> _______________________________________________
> geonode-devel mailing list
> geonode-devel at lists.osgeo.org
> https://lists.osgeo.org/mailman/listinfo/geonode-devel
>
>


-- 
Simone
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/geonode-devel/attachments/20170210/0f717880/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image005.jpg
Type: image/jpeg
Size: 838 bytes
Desc: not available
URL: <http://lists.osgeo.org/pipermail/geonode-devel/attachments/20170210/0f717880/attachment-0006.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 47972 bytes
Desc: not available
URL: <http://lists.osgeo.org/pipermail/geonode-devel/attachments/20170210/0f717880/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image007.jpg
Type: image/jpeg
Size: 857 bytes
Desc: not available
URL: <http://lists.osgeo.org/pipermail/geonode-devel/attachments/20170210/0f717880/attachment-0007.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image008.jpg
Type: image/jpeg
Size: 836 bytes
Desc: not available
URL: <http://lists.osgeo.org/pipermail/geonode-devel/attachments/20170210/0f717880/attachment-0008.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 1425 bytes
Desc: not available
URL: <http://lists.osgeo.org/pipermail/geonode-devel/attachments/20170210/0f717880/attachment-0003.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.jpg
Type: image/jpeg
Size: 752 bytes
Desc: not available
URL: <http://lists.osgeo.org/pipermail/geonode-devel/attachments/20170210/0f717880/attachment-0009.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image006.jpg
Type: image/jpeg
Size: 823 bytes
Desc: not available
URL: <http://lists.osgeo.org/pipermail/geonode-devel/attachments/20170210/0f717880/attachment-0010.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.jpg
Type: image/jpeg
Size: 770 bytes
Desc: not available
URL: <http://lists.osgeo.org/pipermail/geonode-devel/attachments/20170210/0f717880/attachment-0011.jpg>


More information about the geonode-devel mailing list