[GeoNode-users] Geonode security vulnerability

Jonathan Doig j.doig at unsw.edu.au
Mon Feb 13 15:04:05 PST 2017 

OK for consistency I’ve added those lines for uploaded/layers to the 2.4 manual install doco in this pull request<https://github.com/GeoNode/geonode/pull/2904>.

Jonathan

From: Simone Dalmasso [mailto:simone.dalmasso at gmail.com]
Sent: Monday, 13 February 2017 11:29 PM
To: Daniel Victoria
Cc: Jonathan Doig; geonode-users at lists.osgeo.org
Subject: Re: [GeoNode-users] Geonode security vulnerability

Daniel, this good, we did this on master and 2.4.x as well see https://github.com/GeoNode/geonode/commit/5023b5df25da4acd7854e70f59e3cecb32d3f2f2

Ciao

2017-02-13 12:04 GMT+01:00 Daniel Victoria <daniel.victoria at gmail.com<mailto:daniel.victoria at gmail.com>>:
The geonode.conf file in my Geonode instalation (2.4) did not have those lines. However, the upload/layers directory was still open to all. Looking at the geonode.conf file I noticed that the uploaded/documents directory was closed with the options:

<Directory "/var/www/geonode/uploaded/documents/">
       Order allow,deny
       Deny from all
</Directory>
So I repeated the same lines for the layers directory:

<Directory "/var/www/geonode/uploaded/layers/">
       Order allow,deny
       Deny from all
</Directory>
Does that look ok? Or am I bound to break something? Until now, everything looks fine
Thanks
Daniel


On Mon, Feb 13, 2017 at 4:15 AM, Simone Dalmasso <simone.dalmasso at gmail.com<mailto:simone.dalmasso at gmail.com>> wrote:
Hi Jonathan,

the change is not yet published in the packages but the 2.6 will definitely contain it.

Best

2017-02-13 0:28 GMT+01:00 Jonathan Doig <j.doig at unsw.edu.au<mailto:j.doig at unsw.edu.au>>:
I’ve tested upload at my end after the change: no impact. Also it was advised (and merged to the doco) by Geonode dev Simone Dalmasso.

Regards
Jonathan

From: Daniel Victoria [mailto:daniel.victoria at gmail.com<mailto:daniel.victoria at gmail.com>]
Sent: Friday, 10 February 2017 11:22 PM
To: Jonathan Doig
Cc: geonode-users at lists.osgeo.org<mailto:geonode-users at lists.osgeo.org>
Subject: Re: [GeoNode-users] Geonode security vulnerability

Hi Jonathan,
Thanks for the heads up. Just to be sure, by changing the geonode.conf I wont break any other GeoNode funcionality?
Cheers
Daniel

On Thu, Feb 9, 2017 at 10:10 PM, Jonathan Doig <j.doig at unsw.edu.au<mailto:j.doig at unsw.edu.au>> wrote:
Dear all

I found this issue on my own site and am passing it on as it also affects a number of sites I’ve found online.

The data on your Geonode site may be publicly downloadable, regardless of permissions, at:
http://<your_geonode_host>/uploaded/layers/<http://%3cyour_geonode_host%3e/uploaded/layers/>

You need to edit /etc/apache2/sites-available/geonode.conf and remove the block which tells Apache to serve uploaded/layers/. It will look something like this:

    <Directory "/home/geonode/geonode/geonode/uploaded/layers/">
        Order allow,deny
        Options Indexes FollowSymLinks
        Allow from all
        Require all granted
        IndexOptions FancyIndexing
    </Directory>

Then restart Apache:

    sudo service apache2 restart

I’ve issued a pull request<https://github.com/GeoNode/geonode/pull/2899> to update the install doco<http://docs.geonode.org/en/master/tutorials/install_and_admin/geonode_install/setup_configure_httpd.html#apache-configuration>. As a courtesy, I’ve also contacted the admins of sites I found through a “Powered by Geonode” Google search.

Regards
Jonathan Doig
Software Engineer – Spatial Systems
City Futures Research Centre
UNSW Built Environment
Level 3, Red Centre West Wing

UNSW Sydney
NSW 2052 AUSTRALIA
T:+ 61 (2) 9385 5319<tel:+61%202%209385%205319> M: 0409 049185
cityfutures.net.au<http://cityfutures.be.unsw.edu.au/>

_______________________________________________
geonode-users mailing list
geonode-users at lists.osgeo.org<mailto:geonode-users at lists.osgeo.org>
https://lists.osgeo.org/mailman/listinfo/geonode-users


_______________________________________________
geonode-users mailing list
geonode-users at lists.osgeo.org<mailto:geonode-users at lists.osgeo.org>
https://lists.osgeo.org/mailman/listinfo/geonode-users



--
Simone




--
Simone
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/geonode-users/attachments/20170213/01b37888/attachment-0001.html>

More information about the geonode-users mailing list