Bug #450
closed
Some packages do not use authentication for their web interface
Added by Martin Hronek over 15 years ago.
Updated over 9 years ago.
Description
Hello just found out that if you have installed the Package and you haven't logged in to the web-interface yet but directly go to <ip>/phpsysinfo than you get the information about your system without any password request.
Probably no .htaccess is set in the directory.
Another thing is if you have installed the package and you access it through the web-interface it opens the whole site itself and not just the frame like on the other sites.
So maybe if the phpsysinfo wouldn't be a site on its own and couldn't be accessed by /link the Problem with the login would also be resolved.
Invalid bug. FYI you will also see that with some of the other package.
It's just how it works, and there isn't any ability to add htaccess for packages (the web interface doesn't use htaccess). It would be nice to have a way to accommodate this in the future for packages though. This affects some other packages as well.
So its not in the interest that no unauthorized can read information about the system? Or should i post that in the Forum?
Martin Hronek wrote:
So its not in the interest that no unauthorized can read information about the system? Or should i post that in the Forum?
edit: ah ok thanks Chris
- Subject changed from phpsysinfo to Some packages do not use authentication for their web interface
- Estimated time deleted (
8.00 h)
- Affected Version changed from 1.2.3 to All
I tried it on my 1.2.3 Installtion.
Added the "mod_auth", in the /var/etc/lighty-webConfigurator.conf and for testing purpose
- auth test
auth.backend = "htpasswd"
auth.backend.htpasswd.userfile = "/var/run/htpasswd"
auth.require = ("/phpsysinfo/" => ("method" => "basic", "realm" => ".", "require" => "valid-user"))
After lighttpd restart(Kill Process and Start again) it worked both ways.
If I do login in subfolder(/phpsysinfo) I get also authed in root(https:/<ip>) and vice versa.
ok just did another edit
auth.require = ("/phpsysinfo/" => ("method" => "basic", "realm" => ".", "require" => "valid-user"))
changed to
auth.require = ("/" => ("method" => "basic", "realm" => ".", "require" => "valid-user"))
and for everything is an auth needed so that the "auth.inc" would probably be unneeded?
- Status changed from New to Closed
the packages in question have all been removed.
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by