Bug #450
closed
Some packages do not use authentication for their web interface
0%
Description
Hello just found out that if you have installed the Package and you haven't logged in to the web-interface yet but directly go to <ip>/phpsysinfo than you get the information about your system without any password request.
Probably no .htaccess is set in the directory.
Another thing is if you have installed the package and you access it through the web-interface it opens the whole site itself and not just the frame like on the other sites.
So maybe if the phpsysinfo wouldn't be a site on its own and couldn't be accessed by /link the Problem with the login would also be resolved.
Updated by Perry Mason over 15 years ago
Invalid bug. FYI you will also see that with some of the other package.
Updated by Chris Buechler over 15 years ago
It's just how it works, and there isn't any ability to add htaccess for packages (the web interface doesn't use htaccess). It would be nice to have a way to accommodate this in the future for packages though. This affects some other packages as well.
Updated by Martin Hronek over 15 years ago
So its not in the interest that no unauthorized can read information about the system? Or should i post that in the Forum?
Updated by Martin Hronek over 15 years ago
Martin Hronek wrote:
So its not in the interest that no unauthorized can read information about the system? Or should i post that in the Forum?
edit: ah ok thanks Chris
Updated by Chris Buechler over 15 years ago
- Subject changed from phpsysinfo to Some packages do not use authentication for their web interface
- Estimated time deleted (
8.00 h) - Affected Version changed from 1.2.3 to All
Updated by Martin Hronek over 14 years ago
http://redmine.lighttpd.net/projects/lighttpd/wiki/Docs:ModAuth
"When loaded together with mod_fastcgi, mod_auth must be loaded before mod_fastcgi."
Seems like to be a possible solution?
Updated by Martin Hronek over 14 years ago
Added the "mod_auth", in the /var/etc/lighty-webConfigurator.conf and for testing purpose
- auth test
auth.backend = "htpasswd"
auth.backend.htpasswd.userfile = "/var/run/htpasswd"
auth.require = ("/phpsysinfo/" => ("method" => "basic", "realm" => ".", "require" => "valid-user"))
After lighttpd restart(Kill Process and Start again) it worked both ways.
If I do login in subfolder(/phpsysinfo) I get also authed in root(https:/<ip>) and vice versa.
Updated by Martin Hronek over 14 years ago
ok just did another edit
auth.require = ("/phpsysinfo/" => ("method" => "basic", "realm" => ".", "require" => "valid-user"))
changed to
auth.require = ("/" => ("method" => "basic", "realm" => ".", "require" => "valid-user"))
and for everything is an auth needed so that the "auth.inc" would probably be unneeded?
Updated by Chris Buechler about 9 years ago
- Status changed from New to Closed
the packages in question have all been removed.