[GeoNode-users] Geonode security vulnerability

Jonathan Doig j.doig at unsw.edu.au
Thu Feb 9 16:10:58 PST 2017

Dear all

I found this issue on my own site and am passing it on as it also affects a number of sites I've found online.

The data on your Geonode site may be publicly downloadable, regardless of permissions, at:

You need to edit /etc/apache2/sites-available/geonode.conf and remove the block which tells Apache to serve uploaded/layers/. It will look something like this:

    <Directory "/home/geonode/geonode/geonode/uploaded/layers/">
        Order allow,deny
        Options Indexes FollowSymLinks
        Allow from all
        Require all granted
        IndexOptions FancyIndexing

Then restart Apache:

    sudo service apache2 restart

I've issued a pull request<https://github.com/GeoNode/geonode/pull/2899> to update the install doco<http://docs.geonode.org/en/master/tutorials/install_and_admin/geonode_install/setup_configure_httpd.html#apache-configuration>. As a courtesy, I've also contacted the admins of sites I found through a "Powered by Geonode" Google search.

Jonathan Doig
Software Engineer - Spatial Systems
City Futures Research Centre
UNSW Built Environment
Level 3, Red Centre West Wing

UNSW Sydney
T:+ 61 (2) 9385 5319 M: 0409 049185
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/geonode-users/attachments/20170210/e404ad95/attachment.html>

More information about the geonode-users mailing list