Le mardi 10 juin 2008 à 18:53 +1000, Sven Dowideit a écrit :
> I still contend that
> 
> "Allow from 127.0.0.1"
> 
> does _not_ constitute open to anyone on the internet.

Right. But see bellow...

>  While hard coding 
> TWikiGuest  with a password of guest is not in any sense a good thing, 
> from what I've noticed of other debian packages (and the fact that this 
> was the case when I inherited the package) make me feel that its _not_ 
> an issue that demands everyone to drop everything.

Keeping TWikiGuest user with password guest can make sense, as long as
its an open wiki where anonymous posts will be flagged as made by
TWikiGuest.
But in no case should this TWikiGuest user be granted configure access,
IMHO (hence de "configuser" in my patch).

> 
> "Satisfy Any" is not a better solution, as it opens configure up to an 
> even bigger group of users - anyone that has registered on the TWiki.
> 

Please RTFM : 
http://httpd.apache.org/docs/2.2/mod/core.html#satisfy that explains
this kind of situation in sufficient details, I think (or it's me who
didn't understand).

In the current case it behaves as such :
either you're 1) connecting from 127.0.0.1 : the configure is open to
you
or 2) you're from anywhere else, and then you need to know TWikiGuest's
password.

Basically, that's open to anyone with the proper script or knowledge !

What you're thinking of is "require valid-user", I think... which is
totally different from the "Satisfy Any" here.

Now, I suppose that you'll agree that there's a bigger security threat
than you initially though ?

Hope this helps,
-- 
Olivier BERGER <[EMAIL PROTECTED]>
http://www-public.it-sudparis.eu/~berger_o/ - OpenPGP-Id: 1024D/6B829EEC
Ingénieur Recherche - Dept INF
Institut TELECOM, SudParis (http://www.it-sudparis.eu/), Evry (France)




--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to