[GeoNode-users] Geonode security vulnerability
j.doig at unsw.edu.au
Thu Feb 9 16:10:58 PST 2017
I found this issue on my own site and am passing it on as it also affects a number of sites I've found online.
The data on your Geonode site may be publicly downloadable, regardless of permissions, at:
You need to edit /etc/apache2/sites-available/geonode.conf and remove the block which tells Apache to serve uploaded/layers/. It will look something like this:
Options Indexes FollowSymLinks
Allow from all
Require all granted
Then restart Apache:
sudo service apache2 restart
I've issued a pull request<https://github.com/GeoNode/geonode/pull/2899> to update the install doco<http://docs.geonode.org/en/master/tutorials/install_and_admin/geonode_install/setup_configure_httpd.html#apache-configuration>. As a courtesy, I've also contacted the admins of sites I found through a "Powered by Geonode" Google search.
Software Engineer - Spatial Systems
City Futures Research Centre
UNSW Built Environment
Level 3, Red Centre West Wing
NSW 2052 AUSTRALIA
T:+ 61 (2) 9385 5319 M: 0409 049185
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the geonode-users