<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:"Segoe UI";
panose-1:2 11 5 2 4 2 4 2 2 3;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
code
{mso-style-priority:99;
font-family:"Courier New";}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";
mso-fareast-language:EN-US;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:"Courier New";
mso-fareast-language:EN-AU;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
span.EmailStyle23
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.apple-converted-space
{mso-style-name:apple-converted-space;}
span.EmailStyle25
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-AU" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">Thanks Simone for your <a href="https://github.com/GeoNode/geonode/issues/2896#issuecomment-278587461">
response</a> on GitHub.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">I’ve issued a pull request for a change to the manual install doco, removing the uploaded/layers block from /etc/apache2/sites-available/geonode.conf. The same may be needed for other install methods (ansible?
quick install?).<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">There are easily discovered geonode sites out there with this vulnerability. I’ve emailed the admins of a number of sites I found. They need to know they should make this change, especially now that I’ve exposed
it here :/ <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">I’ve also emailed geonode-users.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Also the upgrade path for existing sites may need some specific instruction to remove this block from the Apache conf.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Regards<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Jonathan<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:10.0pt;font-family:"Tahoma","sans-serif";mso-fareast-language:EN-AU">From:</span></b><span lang="EN-US" style="font-size:10.0pt;font-family:"Tahoma","sans-serif";mso-fareast-language:EN-AU"> geonode-devel
[mailto:geonode-devel-bounces@lists.osgeo.org] <b>On Behalf Of </b>Jonathan Doig<br>
<b>Sent:</b> Thursday, 9 February 2017 12:03 PM<br>
<b>To:</b> geonode-devel@lists.osgeo.org<br>
<b>Subject:</b> [GeoNode-devel] Private data is publicly visible<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p style="margin-bottom:0cm;margin-bottom:.0001pt;background:white"><span style="font-size:10.5pt;font-family:"Segoe UI","sans-serif";color:#333333">Hi all<o:p></o:p></span></p>
<p style="margin-bottom:12.0pt;background:white"><span style="font-size:10.5pt;font-family:"Segoe UI","sans-serif";color:#333333">In Geonode 2.4, all uploaded data can be listed and downloaded from<span class="apple-converted-space"> </span></span><code><span style="font-size:9.0pt;font-family:Consolas;color:#333333"><a href="http://%3chost%3e/uploaded/layers">http://<host>/uploaded/layers</a>
</span></code><span style="font-size:10.5pt;font-family:"Segoe UI","sans-serif";color:#333333">regardless of security permissions.<br>
<br>
This seems to be by design. The<span class="apple-converted-space"> </span><a href="http://docs.geonode.org/en/master/tutorials/install_and_admin/geonode_install/setup_configure_httpd.html"><span style="color:#4078C0">installation doco</span></a><span class="apple-converted-space"> </span>says
to make it all wide open:<o:p></o:p></span></p>
<pre style="background:#F7F7F7;box-sizing: border-box;font-stretch: normal;word-wrap: normal;border-radius: 3px;orphans: 2;text-align:start;widows: 2;-webkit-text-stroke-width: 0px;overflow:auto;word-spacing:0px"><code><span style="font-size:9.0pt;font-family:Consolas;color:#333333;border:none windowtext 1.0pt;padding:0cm">sudo chmod -Rf 777 /home/geonode/geonode/geonode/uploaded/thumbs</span></code><code><span style="font-size:9.0pt;font-family:Consolas;border:none windowtext 1.0pt;padding:0cm"><o:p></o:p></span></code></pre>
<pre style="background:#F7F7F7"><code><span style="font-size:9.0pt;font-family:Consolas;color:#333333;border:none windowtext 1.0pt;padding:0cm">sudo chmod -Rf 777 /home/geonode/geonode/geonode/uploaded/layers</span></code><o:p></o:p></pre>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Raised as issue <a href="https://github.com/GeoNode/geonode/issues/2896">
2896</a>.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Removing ‘other’ permission (chmod 770) breaks the upload function.<o:p></o:p></p>
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:8.5pt;font-family:"Arial","sans-serif";color:#E36C0A;mso-fareast-language:EN-AU"><o:p> </o:p></span></b></p>
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:8.5pt;font-family:"Arial","sans-serif";color:#E36C0A;mso-fareast-language:EN-AU">Jonathan Doig</span></b><span style="font-size:8.5pt;font-family:"Arial","sans-serif";color:#7F7F7F;mso-fareast-language:EN-AU"><o:p></o:p></span></p>
<p class="MsoNormal"><i><span style="font-size:8.5pt;font-family:"Arial","sans-serif";color:#7F7F7F;mso-fareast-language:EN-AU">Software Engineer – Spatial Systems<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:8.5pt;font-family:"Arial","sans-serif";color:#7F7F7F;mso-fareast-language:EN-AU">City Futures Research Centre<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:8.5pt;font-family:"Arial","sans-serif";color:#7F7F7F;mso-fareast-language:EN-AU">UNSW Built Environment
<o:p></o:p></span></i></p>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:"Arial","sans-serif";color:#7F7F7F;mso-fareast-language:EN-AU">Level 3, Red Centre West Wing
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:"Arial","sans-serif";color:#7F7F7F;mso-fareast-language:EN-AU"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:"Arial","sans-serif";color:#7F7F7F;mso-fareast-language:EN-AU">UNSW Sydney<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:"Arial","sans-serif";color:#7F7F7F;mso-fareast-language:EN-AU">NSW 2052 AUSTRALIA<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:"Arial","sans-serif";color:#7F7F7F;mso-fareast-language:EN-AU">T:+ 61 (2) 9385 5319 M: 0409 049185<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-AU"><a href="http://cityfutures.be.unsw.edu.au/"><span style="font-size:8.5pt;font-family:"Arial","sans-serif";color:#0563C1">cityfutures.net.au</span></a></span><span style="font-size:8.5pt;font-family:"Arial","sans-serif";color:#7F7F7F;mso-fareast-language:EN-AU"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;color:#221E1F;mso-fareast-language:EN-AU"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;color:#221E1F;mso-fareast-language:EN-AU">CRICOS Provider Code 00098G<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;color:#221E1F;mso-fareast-language:EN-AU"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D;mso-fareast-language:EN-AU"><img border="0" width="751" height="79" id="Picture_x0020_8" src="cid:image001.png@01D28387.89BDD9F0" alt="01_PARTER LOGOS"></span><span style="font-family:"Arial","sans-serif";color:#1F497D;mso-fareast-language:EN-AU"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#1F497D;mso-fareast-language:EN-AU"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;color:#221E1F;mso-fareast-language:EN-AU">Follow us:
</span><span style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#1F497D;mso-fareast-language:EN-AU">
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;color:#1F497D;mso-fareast-language:EN-AU"><o:p> </o:p></span></p>
<p class="MsoNormal"><a href="http://www.facebook.com/UNSWBE"><span style="font-size:8.0pt;font-family:"Arial","sans-serif";mso-fareast-language:EN-AU;text-decoration:none"><img border="0" width="20" height="20" id="Picture_x0020_15" src="cid:image002.jpg@01D28387.89BDD9F0" alt="facebookesig"></span></a><a href="http://twitter.com/UNSWBuiltEnv"><span style="font-size:8.0pt;font-family:"Arial","sans-serif";mso-fareast-language:EN-AU;text-decoration:none"><img border="0" width="20" height="20" id="Picture_x0020_14" src="cid:image003.jpg@01D28387.89BDD9F0" alt="twitteresig"></span></a><a href="http://instagram.com/unswbe"><span style="color:#1F497D;mso-fareast-language:EN-AU;text-decoration:none"><img border="0" width="20" height="20" id="Picture_x0020_13" src="cid:image004.png@01D28387.89BDD9F0" alt="cid:image013.png@01D1D83D.50C334B0"></span></a><a href="http://plus.google.com/103377744913804443069"><span style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#1F497D;mso-fareast-language:EN-AU;text-decoration:none"><img border="0" width="20" height="20" id="Picture_x0020_12" src="cid:image005.jpg@01D28387.89BDD9F0" alt="Web-Google-plus-Metro-icon-esog"></span></a><a href="http://www.linkedin.com/groups/UNSW-Built-Environment-6616950"><span style="font-size:8.0pt;font-family:"Arial","sans-serif";mso-fareast-language:EN-AU;text-decoration:none"><img border="0" width="20" height="20" id="Picture_x0020_11" src="cid:image006.jpg@01D28387.89BDD9F0" alt="linkedinesig"></span></a><a href="http://www.flickr.com/photos/unswbuiltenvironment/"><span style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#1F497D;mso-fareast-language:EN-AU;text-decoration:none"><img border="0" width="20" height="20" id="Picture_x0020_10" src="cid:image007.jpg@01D28387.89BDD9F0" alt="flickresig"></span></a><a href="https://www.youtube.com/unswbuiltenvironment"><span style="font-size:8.0pt;font-family:"Arial","sans-serif";mso-fareast-language:EN-AU;text-decoration:none"><img border="0" width="20" height="20" id="Picture_x0020_9" src="cid:image008.jpg@01D28387.89BDD9F0" alt="youtubeesig"></span></a><span style="color:#1F497D;mso-fareast-language:EN-AU"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D;mso-fareast-language:EN-AU"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:6.5pt;font-family:"Arial","sans-serif";color:#1F497D;mso-fareast-language:EN-AU">This email and any attachment(s) transmitted with it are intended solely for the use of the addressee(s) and may contain information
that is confidential or subject to legal privilege. If you receive this email in error, please disregard the contents of the email and attachment(s), delete them and notify the sender immediately. Please note that any copying, distribution or use of this email
is prohibited. Any views expressed in this message are those of the individual sender, except where the sender expressly, and with authority, states them to be the view of The University of New South Wales. Before opening any attachments, please check for
viruses. UNSW ABN 57 195 873 179.<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>