Bug 45644

Summary: unprotected univention-directory-reports
Product: UCS Reporter: Jannik Ahlers <ahlers>
Component: LDAPAssignee: Florian Best <best>
Status: CLOSED FIXED QA Contact: Felix Botner <botner>
Severity: normal    
Priority: P5 CC: birkefeld, botner, grandjean
Version: UCS 4.2   
Target Milestone: UCS 4.2-2-errata   
Hardware: Other   
OS: Linux   
What kind of report is it?: Security Issue What type of bug is this?: ---
Who will be affected by this bug?: --- How will those affected feel about the bug?: ---
User Pain: Enterprise Customer affected?:
School Customer affected?: Yes ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional): Security
Max CVSS v3 score:
Bug Depends on:    
Bug Blocks: 45680    

Comment 1 Florian Best univentionstaff 2017-11-07 16:31:42 CET 
It's a regression from Bug #24341 / r35895 / f280033bc3840fcc467abbc1ec7a772233a9a91b.

Workaround:
a2ensite univention-directory-manager.conf; service apache2 reload
Comment 2 Florian Best univentionstaff 2017-11-07 17:33:57 CET 
The directory /var/www/univention-directory-reports has been removed.
Instead the new directory /usr/share/univention-management-console-module-udm is used. Apache doesn't serve the files anymore. Instead they are served by the UMC module, so that authentication is required. A brute force attack for the file name only works with permissions for the UDM module now and isn't worth it for 58 ** 6 requests. Old files are moved into the new directory. The cleanup-cronjob uses the new directory now. The report file is now automatically downloaded instead of another necessary click.

univention-management-console-module-udm.yaml
cc71a8621887 | Bug #45644: Merge branch 'fbest/45644-protect-univention-directory-reports' into 4.2-2
9ff92006d113 | YAML Bug #45644

univention-management-console-module-udm (7.0.10-22)
ab49e39d5fdd | Bug #45644:  disable also apache config if it was enabled (systems prior UCS 3.x)
cc71a8621887 | Bug #45644: Merge branch 'fbest/45644-protect-univention-directory-reports' into 4.2-2
523a58eaa7e3 | Bug #45644: move the report directory for security reasons from /var/www/univention-directory-reports to /usr/share/univention-management-console-module-udm
Comment 3 Felix Botner univentionstaff 2017-11-08 09:43:14 CET 
The old reports are not removed/moved during the update

postinst is always called with "configure" not upgrade
Comment 4 Florian Best univentionstaff 2017-11-08 10:09:05 CET 
univention-management-console-module-udm (7.0.10-23)
1fd0040a5ef7 | Bug #45644: fix typo in postinst
Comment 5 Felix Botner univentionstaff 2017-11-08 10:37:52 CET 
FAIL - please update version in yaml

OK - update moves old reports
OK - /univention-directory-reports/ no longer accessible
OK - report permissions
OK - report download
Comment 6 Florian Best univentionstaff 2017-11-08 10:44:13 CET 
univention-management-console-module-udm.yaml
60080fd487fe | YAML Bug #45644
Comment 7 Felix Botner univentionstaff 2017-11-08 11:02:10 CET 
OK
Comment 8 Arvid Requate univentionstaff 2017-11-08 14:59:13 CET 
<http://errata.software-univention.de/ucs/4.2/212.html>