Univention Bugzilla – Bug 45644
unprotected univention-directory-reports
Last modified: 2021-06-23 07:29:14 CEST
It's a regression from Bug #24341 / r35895 / f280033bc3840fcc467abbc1ec7a772233a9a91b. Workaround: a2ensite univention-directory-manager.conf; service apache2 reload
The directory /var/www/univention-directory-reports has been removed. Instead the new directory /usr/share/univention-management-console-module-udm is used. Apache doesn't serve the files anymore. Instead they are served by the UMC module, so that authentication is required. A brute force attack for the file name only works with permissions for the UDM module now and isn't worth it for 58 ** 6 requests. Old files are moved into the new directory. The cleanup-cronjob uses the new directory now. The report file is now automatically downloaded instead of another necessary click. univention-management-console-module-udm.yaml cc71a8621887 | Bug #45644: Merge branch 'fbest/45644-protect-univention-directory-reports' into 4.2-2 9ff92006d113 | YAML Bug #45644 univention-management-console-module-udm (7.0.10-22) ab49e39d5fdd | Bug #45644: disable also apache config if it was enabled (systems prior UCS 3.x) cc71a8621887 | Bug #45644: Merge branch 'fbest/45644-protect-univention-directory-reports' into 4.2-2 523a58eaa7e3 | Bug #45644: move the report directory for security reasons from /var/www/univention-directory-reports to /usr/share/univention-management-console-module-udm
The old reports are not removed/moved during the update postinst is always called with "configure" not upgrade
univention-management-console-module-udm (7.0.10-23) 1fd0040a5ef7 | Bug #45644: fix typo in postinst
FAIL - please update version in yaml OK - update moves old reports OK - /univention-directory-reports/ no longer accessible OK - report permissions OK - report download
univention-management-console-module-udm.yaml 60080fd487fe | YAML Bug #45644
OK
<http://errata.software-univention.de/ucs/4.2/212.html>