Actions
Bug #1208
closedUnauthenticated IP spoofing should not be allowed
Description
Now any server can spoof and get a kickstart file that might have interesting info (such as root password hash). This can be considered a security weakness as you shouldn't be allowed to spoof IPs unauthenticated anyway.
Next to that, as a workaround for #969, I've been forced to filter the allowed URLs in my apache config file (/etc/httpd/conf.d/foreman.conf - Check template sample below).
There is one important issue though. This won't match query strings such as "?spoof=" giving me one more reason for this request.
<Location /> Order Deny,Allow Deny from all <% scope.lookupvar('foreman::params::allowed_ips').split(',').each do |ip| -%> Allow from <%= ip %> <% end -%> Allow from 127.0.0.1 Allow from <%= ipaddress %> </Location> <Location ~ "^/unattended/(kickstart|built)$" > Order Deny,Allow Deny from all <% scope.lookupvar('foreman::params::unattended_allowed_ips').split(',').each do |ip| -%> Allow from <%= ip %> <% end -%> </Location>
Updated by Marcello de Sousa about 13 years ago
...and if auth required, via HTTPs only of course.
Updated by Ohad Levy about 13 years ago
- Status changed from New to Closed
- % Done changed from 0 to 100
Applied in changeset 224783a1d0926b8d78d0e03aaf2ff4e856ae3aa7.
Actions