[GeoNode-users] Geonode security vulnerability

Simone Dalmasso simone.dalmasso at gmail.com
Mon Feb 13 04:29:15 PST 2017


Daniel, this good, we did this on master and 2.4.x as well see
https://github.com/GeoNode/geonode/commit/5023b5df25da4acd7854e70f59e3cecb32d3f2f2

Ciao

2017-02-13 12:04 GMT+01:00 Daniel Victoria <daniel.victoria at gmail.com>:

> The geonode.conf file in my Geonode instalation (2.4) did not have those
> lines. However, the upload/layers directory was still open to all. Looking
> at the geonode.conf file I noticed that the uploaded/documents directory
> was closed with the options:
>
> <Directory "/var/www/geonode/uploaded/documents/">
>        Order allow,deny
>        Deny from all
> </Directory>
>
> So I repeated the same lines for the layers directory:
>
> <Directory "/var/www/geonode/uploaded/layers/">
>        Order allow,deny
>        Deny from all
> </Directory>
>
> Does that look ok? Or am I bound to break something? Until now, everything
> looks fine
>
> Thanks
> Daniel
>
>
> On Mon, Feb 13, 2017 at 4:15 AM, Simone Dalmasso <
> simone.dalmasso at gmail.com> wrote:
>
>> Hi Jonathan,
>>
>> the change is not yet published in the packages but the 2.6 will
>> definitely contain it.
>>
>> Best
>>
>> 2017-02-13 0:28 GMT+01:00 Jonathan Doig <j.doig at unsw.edu.au>:
>>
>>> I’ve tested upload at my end after the change: no impact. Also it was
>>> advised (and merged to the doco) by Geonode dev Simone Dalmasso.
>>>
>>>
>>>
>>> Regards
>>>
>>> Jonathan
>>>
>>>
>>>
>>> *From:* Daniel Victoria [mailto:daniel.victoria at gmail.com]
>>> *Sent:* Friday, 10 February 2017 11:22 PM
>>> *To:* Jonathan Doig
>>> *Cc:* geonode-users at lists.osgeo.org
>>> *Subject:* Re: [GeoNode-users] Geonode security vulnerability
>>>
>>>
>>>
>>> Hi Jonathan,
>>>
>>> Thanks for the heads up. Just to be sure, by changing the geonode.conf I
>>> wont break any other GeoNode funcionality?
>>>
>>> Cheers
>>>
>>> Daniel
>>>
>>>
>>>
>>> On Thu, Feb 9, 2017 at 10:10 PM, Jonathan Doig <j.doig at unsw.edu.au>
>>> wrote:
>>>
>>> Dear all
>>>
>>>
>>>
>>> I found this issue on my own site and am passing it on as it also
>>> affects a number of sites I’ve found online.
>>>
>>>
>>>
>>> The data on your Geonode site may be publicly downloadable, regardless
>>> of permissions, at:
>>>
>>> http://<your_geonode_host>/uploaded/layers/
>>>
>>>
>>>
>>> You need to edit /etc/apache2/sites-available/geonode.conf and remove
>>> the block which tells Apache to serve uploaded/layers/. It will look
>>> something like this:
>>>
>>>
>>>
>>>     <Directory "/home/geonode/geonode/geonode/uploaded/layers/">
>>>
>>>         Order allow,deny
>>>
>>>         Options Indexes FollowSymLinks
>>>
>>>         Allow from all
>>>
>>>         Require all granted
>>>
>>>         IndexOptions FancyIndexing
>>>
>>>     </Directory>
>>>
>>>
>>>
>>> Then restart Apache:
>>>
>>>
>>>
>>>     sudo service apache2 restart
>>>
>>>
>>>
>>> I’ve issued a pull request
>>> <https://github.com/GeoNode/geonode/pull/2899> to update the install
>>> doco
>>> <http://docs.geonode.org/en/master/tutorials/install_and_admin/geonode_install/setup_configure_httpd.html#apache-configuration>.
>>> As a courtesy, I’ve also contacted the admins of sites I found through a
>>> “Powered by Geonode” Google search.
>>>
>>>
>>>
>>> Regards
>>>
>>> *Jonathan Doig*
>>>
>>> *Software Engineer – Spatial Systems*
>>>
>>> *City Futures Research Centre*
>>>
>>> *UNSW Built Environment *
>>>
>>> Level 3, Red Centre West Wing
>>>
>>>
>>>
>>> UNSW Sydney
>>>
>>> NSW 2052 AUSTRALIA
>>>
>>> T:+ 61 (2) 9385 5319 <+61%202%209385%205319> M: 0409 049185
>>>
>>> cityfutures.net.au <http://cityfutures.be.unsw.edu.au/>
>>>
>>>
>>> _______________________________________________
>>> geonode-users mailing list
>>> geonode-users at lists.osgeo.org
>>> https://lists.osgeo.org/mailman/listinfo/geonode-users
>>>
>>>
>>>
>>> _______________________________________________
>>> geonode-users mailing list
>>> geonode-users at lists.osgeo.org
>>> https://lists.osgeo.org/mailman/listinfo/geonode-users
>>>
>>>
>>
>>
>> --
>> Simone
>>
>
>


-- 
Simone
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/geonode-users/attachments/20170213/36c7678a/attachment-0001.html>


More information about the geonode-users mailing list