456422 – Spacewalk: CVE-2003-1138

Bug 456422 - Spacewalk: CVE-2003-1138

Summary: Spacewalk: CVE-2003-1138

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Spacewalk
Classification:	Community
Component:	Server
Sub Component:
Version:	0.1
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Jan Pazdziora
QA Contact:	Red Hat Satellite QA List
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	space02
TreeView+	depends on / blocked

Reported:	2008-07-23 14:12 UTC by Jan Pazdziora
Modified:	2009-09-17 06:59 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2009-09-17 06:59:37 UTC
Embargoed:

Attachments	(Terms of Use)

Description Jan Pazdziora 2008-07-23 14:12:55 UTC

Description of problem:

When run on RHEL 5, Spacewalk might be vulnerable to CVE-2003-1138, using
double-slashes in the url.

How reproducible:
Deterministic.

Steps to Reproduce:
1. Go to https://spacewalk.example.com//

Actual results:
You get a directory listing

Expected results:
You should not get a directory listing

Additional info:

Since Spacewalk avoids RHEL's default configuration and its conf.d/welcome.conf,
the LocationMatch is not in effect.

This bug is related to bug #454965.

Comment 1 Jan Pazdziora 2008-07-23 14:16:38 UTC

Fix committed: f751a818a5b7a9be61e9b012b9c5ff6184223789.

Comment 2 Devan Goodwin 2008-09-05 14:47:35 UTC

Looks good in spacewalk 0.2. Verified.

Comment 3 Miroslav Suchý 2009-09-17 06:59:37 UTC

Spacewalk is released for long time.

Note You need to log in before you can comment on or make changes to this bug.