tag 476269 etch found 476269 3.6.6-2 thanks On Tue, Apr 15, 2008 at 03:42:06PM +0200, Arthur de Jong wrote: > Subject: default apache config should limit REST requests
> The default installation of request tracker ships with sample config > files for Apache that are missing an important directive that may be > unnoticed. A part of the web interface is used for inserting email into > the system (this is used by rt-mailgate). > <Location /rt/REST/1.0/NoAuth> > Order Allow,Deny > Allow from 127.0.0.1 > </Location> > > Giving direct access to the REST interface allows users to bypass mail > filtering rules. Thanks for the report. This would indeed be a better default. I'll add this in the next upload. I don't think the security implications are so severe as to warrant an update for Etch, though. Cheers, -- Niko Tyni [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
