Bug 456422

Summary: Spacewalk: CVE-2003-1138
Product: [Community] Spacewalk Reporter: Jan Pazdziora (Red Hat) <jpazdziora>
Component: ServerAssignee: Jan Pazdziora (Red Hat) <jpazdziora>
Status: CLOSED CURRENTRELEASE QA Contact: Red Hat Satellite QA List <satqe-list>
Severity: medium Docs Contact:
Priority: medium    
Version: 0.1CC: dgoodwin
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-09-17 06:59:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 456550    

Description Jan Pazdziora (Red Hat) 2008-07-23 14:12:55 UTC 
Description of problem:

When run on RHEL 5, Spacewalk might be vulnerable to CVE-2003-1138, using
double-slashes in the url.

How reproducible:
Deterministic.

Steps to Reproduce:
1. Go to https://spacewalk.example.com//

Actual results:
You get a directory listing

Expected results:
You should not get a directory listing

Additional info:

Since Spacewalk avoids RHEL's default configuration and its conf.d/welcome.conf,
the LocationMatch is not in effect.

This bug is related to bug #454965.
Comment 1 Jan Pazdziora (Red Hat) 2008-07-23 14:16:38 UTC 
Fix committed: f751a818a5b7a9be61e9b012b9c5ff6184223789.
Comment 2 Devan Goodwin 2008-09-05 14:47:35 UTC 
Looks good in spacewalk 0.2. Verified.
Comment 3 Miroslav Suchý 2009-09-17 06:59:37 UTC 
Spacewalk is released for long time.