Subject: default apache config should limit REST requests Package: rt3.6-apache2 Version: 3.6.1-4 Severity: normal File: /etc/request-tracker3.6/apache2-modperl2.conf Tags: security
The default installation of request tracker ships with sample config files for Apache that are missing an important directive that may be unnoticed. A part of the web interface is used for inserting email into the system (this is used by rt-mailgate). I came across this in the RT wiki: http://wiki.bestpractical.com/view/MailGatewayAccessControl Basically the following should be included by default: <Location /REST/1.0/NoAuth> Order Allow,Deny Allow from 127.0.0.1 </Location> or maybe the following to follow the installation under /rt: <Location /rt/REST/1.0/NoAuth> Order Allow,Deny Allow from 127.0.0.1 </Location> Giving direct access to the REST interface allows users to bypass mail filtering rules. -- System Information: Debian Release: 4.0 APT prefers stable APT policy: (500, 'stable'), (60, 'testing') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18-6-686 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages rt3.6-apache2 depends on: ii apache2 2.2.3-4+etch4 Next generation, scalable, extenda ii apache2-mpm-prefork [apach 2.2.3-4+etch4 Traditional model for Apache HTTPD ii libapache-dbi-perl 1.04-0.1 Connect apache server to database ii libapache2-mod-perl2 2.0.2-2.4 Integration of perl with the Apach rt3.6-apache2 recommends no packages. -- no debconf information -- -- arthur de jong - [EMAIL PROTECTED] - west consulting b.v. -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
