Bug 40811 – restrict access to /univention-management-console/ (and other sites)

Bug 40811 - restrict access to /univention-management-console/ (and other sites)


Summary:	restrict access to /univention-management-console/ (and other sites)

Status:	RESOLVED WONTFIX

Product:	UCS
Classification:	Unclassified
Component:	Apache
Version:	UCS 4.1
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	UMC maintainers
QA Contact:

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2016-03-01 17:59 CET by Dirk Ahrnke
Modified:	2019-01-03 07:20 CET (History)
CC List:	5 users (show)

See Also:	32521
What kind of report is it?:	Bug Report
What type of bug is this?:	2: Improvement: Would be a product improvement
Who will be affected by this bug?:	3: Will affect average number of installed domains
How will those affected feel about the bug?:	2: A Pain – users won’t like this once they notice it
User Pain:	0.069
Enterprise Customer affected?:
School Customer affected?:	Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2018040621000221
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Dirk Ahrnke 2016-03-01 17:59:14 CET

http://forum.univention.de/viewtopic.php?f=56&t=3622
Some users have security related concerns to expose the u-m-c and /ucs-overview to the world if the host provides services which should be public available (like Z-Push).
The linked thread contains some general ideas.

Comment 1 robert.evert 2016-05-02 14:22:02 CEST

Hm, the bug #32521 is private?

Comment 2 Florian Best

2016-05-02 14:23:16 CEST

(In reply to robert.evert from comment #1)
> Hm, the bug #32521 is private?
Yes. It contains security related information on how to detect UCS systems in the internet. It will be exposed when being fixed.

Comment 3 Michel Smidt 2017-11-28 22:39:12 CET

Asked by school customer for his portal

Comment 4 Christian Völker

2018-04-09 10:35:49 CEST

Asked by a customer again. 

Indeed, some UCS systems are exposed to the Internet.

Only local networks should be allowed to access UMC.

Comment 5 Stefan Gohmann

2019-01-03 07:20:49 CET

This issue has been filled against UCS 4.1. The maintenance with bug and security fixes for UCS 4.1 has ended on 5st of April 2018.

Customers still on UCS 4.1 are encouraged to update to UCS 4.3. Please contact
your partner or Univention for any questions.

If this issue still occurs in newer UCS versions, please use "Clone this bug" or simply reopen the issue. In this case please provide detailed information on how this issue is affecting you.