[GeoNode-users] Geonode security vulnerability
Jonathan Doig
j.doig at unsw.edu.au
Thu Feb 9 16:10:58 PST 2017
Dear all
I found this issue on my own site and am passing it on as it also affects a number of sites I've found online.
The data on your Geonode site may be publicly downloadable, regardless of permissions, at:
http://<your_geonode_host>/uploaded/layers/<http://%3cyour_geonode_host%3e/uploaded/layers/>
You need to edit /etc/apache2/sites-available/geonode.conf and remove the block which tells Apache to serve uploaded/layers/. It will look something like this:
<Directory "/home/geonode/geonode/geonode/uploaded/layers/">
Order allow,deny
Options Indexes FollowSymLinks
Allow from all
Require all granted
IndexOptions FancyIndexing
</Directory>
Then restart Apache:
sudo service apache2 restart
I've issued a pull request<https://github.com/GeoNode/geonode/pull/2899> to update the install doco<http://docs.geonode.org/en/master/tutorials/install_and_admin/geonode_install/setup_configure_httpd.html#apache-configuration>. As a courtesy, I've also contacted the admins of sites I found through a "Powered by Geonode" Google search.
Regards
Jonathan Doig
Software Engineer - Spatial Systems
City Futures Research Centre
UNSW Built Environment
Level 3, Red Centre West Wing
UNSW Sydney
NSW 2052 AUSTRALIA
T:+ 61 (2) 9385 5319 M: 0409 049185
cityfutures.net.au<http://cityfutures.be.unsw.edu.au/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/geonode-users/attachments/20170210/e404ad95/attachment.html>
More information about the geonode-users
mailing list