Back Midas Rome Roody Rootana
  Midas DAQ System  Not logged in ELOG logo
Entry  18 Jul 2023, Gennaro Tortone, Bug Report, access to filesystem through mhttpd 
    Reply  18 Jul 2023, Konstantin Olchanski, Bug Report, access to filesystem through mhttpd 
       Reply  19 Jul 2023, Zaher Salman, Bug Report, access to filesystem through mhttpd 
Message ID: 2555     Entry time: 18 Jul 2023     Reply to this: 2557
Author: Gennaro Tortone 
Topic: Bug Report 
Subject: access to filesystem through mhttpd 
Hi,

after some networks security scans I received some warnings because mhttpd expose
server filesystem through HTTP(S)...

in details a MIDAS user can access to /etc/passwd or download other files from
filesystem using a web browser:

(e.g. http://midas.host:8080/etc/passwd)

I know that /etc/passwd does not contain users password and mhttpd runs as an
unprivileged user but in principle this should be avoided in order to minimize 
security risks: if I authorize a user to use MIDAS interface in order to handle
acquisition tasks this should not authorize the user to access the server filesystem...
but this access should be restricted to MIDAS web pages, custom pages etc.

What do you think about this ?

Cheers,
Gennaro
ELOG V3.1.4-2e1708b5