Back Midas Rome Roody Rootana
  Midas DAQ System  Not logged in ELOG logo
Entry  18 Jul 2023, Gennaro Tortone, Bug Report, access to filesystem through mhttpd 
    Reply  18 Jul 2023, Konstantin Olchanski, Bug Report, access to filesystem through mhttpd 
       Reply  19 Jul 2023, Zaher Salman, Bug Report, access to filesystem through mhttpd 
Message ID: 2557     Entry time: 18 Jul 2023     In reply to: 2555     Reply to this: 2558
Author: Konstantin Olchanski 
Topic: Bug Report 
Subject: access to filesystem through mhttpd 
> (e.g. http://midas.host:8080/etc/passwd)

not again! I complained about this before, and I added a fix, but it must be broken again.

getting a copy of /etc/passwd is reasonably benign, but getting a copy of 
/home/$USER/.ssh/id_rsa, id_rsa.pub, knownhosts and authorized_keys is a disaster.

(running mhttpd behind a web proxy does not solve the problem, number of attackers is 
reduced to only the people who know the proxy password and to local users).

K.O.
ELOG V3.1.4-2e1708b5