search

nuxsmin / docker-syspass

Docker stuff for running sysPass on Docker
GNU General Public License v3.0
39 stars 21 forks source link

default apache config leaks privat files #22

Closed schleyk closed 5 years ago

schleyk commented 5 years ago

Hi, the default apache config inside the docker image make it possible to leak everything.

grafik

nuxsmin commented 5 years ago

Hi, are you using the latest version? https://github.com/nuxsmin/docker-syspass/blob/master/sysPass/000-default.conf

It only grants access to index.php or api.php files and public directory.

Regards

schleyk commented 5 years ago

Hi nuxsmin, yes exact this config is loaded inside the container. root@e048a265c194:/etc/apache2/sites-enabled# cat 000-default.conf

<VirtualHost *:80>
  # The ServerName directive sets the request scheme, hostname and port that
  # the server uses to identify itself. This is used when creating
  # redirection URLs. In the context of virtual hosts, the ServerName
  # specifies what hostname must appear in the request's Host: header to
  # match this virtual host. For the default virtual host (this file) this
  # value is not decisive as it is used as a last resort host regardless.
  # However, you must set it for any further virtual host explicitly.
  #ServerName www.example.com

  ServerAdmin webmaster@localhost
  DocumentRoot /var/www/html/sysPass

  # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
  # error, crit, alert, emerg.
  # It is also possible to configure the loglevel for particular
  # modules, e.g.
  #LogLevel info ssl:warn

  ErrorLog ${APACHE_LOG_DIR}/error.log
  CustomLog ${APACHE_LOG_DIR}/access.log combined

  # For most configuration files from conf-available/, which are
  # enabled or disabled at a global level, it is possible to
  # include a line for only one particular virtual host. For example the
  # following line enables the CGI configuration for this host only
  # after it has been globally disabled with "a2disconf".
  #Include conf-available/serve-cgi-bin.conf

  # RedirectMatch "^/$" "/index.php"

  <Directory "/var/www/html/sysPass">
    Options -Indexes -FollowSymLinks -Includes -ExecCGI
    Require expr "%{REQUEST_URI} =~ /(index|api\.php)?/"
  </Directory>

  <Directory "/var/www/html/sysPass/public">
    Require all granted
  </Directory>

</VirtualHost>

# vim: syntax=apache ts=2 sw=2 sts=2 sr noet

I fix this "problem" with my own config:

<VirtualHost *:80>
  ServerAdmin webmaster@localhost
  DocumentRoot /var/www/html/sysPass
  ErrorLog ${APACHE_LOG_DIR}/error.log
  CustomLog ${APACHE_LOG_DIR}/access.log combined
  <Directory "/var/www/html/sysPass">
    Options -Indexes -FollowSymLinks -Includes -ExecCGI
    Require expr "%{REQUEST_URI} =~ /(index|api\.php)?/"
  </Directory>

  <Directory "/var/www/html/sysPass/public">
    Require all granted
  </Directory>

</VirtualHost>

<IfModule mod_ssl.c>
  <VirtualHost *:443>
    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html/sysPass
    ErrorLog ${APACHE_LOG_DIR}/ssl-error.log
    CustomLog ${APACHE_LOG_DIR}/ssl-access.log combined
    SSLEngine on
    SSLCertificateFile  /etc/apache2/ssl/server.crt
    SSLCertificateKeyFile /etc/apache2/ssl/server.key

    SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
    SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
    SSLHonorCipherOrder On

    <FilesMatch "\.(cgi|shtml|phtml|php)$">
                SSLOptions +StdEnvVars
    </FilesMatch>
    <Directory /usr/lib/cgi-bin>
                SSLOptions +StdEnvVars
    </Directory>
    BrowserMatch "MSIE [2-6]" \
      nokeepalive ssl-unclean-shutdown \
      downgrade-1.0 force-response-1.0
    BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

    <Directory "/var/www/html/sysPass">
      Options -Indexes -FollowSymLinks -Includes -ExecCGI
      Require expr "%{REQUEST_URI} =~ /(index|api\.php)?/"
    </Directory>

    <Directory "/var/www/html/sysPass/public">
      Require all granted
    </Directory>

    <Directory "/var/www/html/sysPass/app/backup">
      Require all denied
    </Directory>

    <Directory "/var/www/html/sysPass/app/config">
      Require all denied
    </Directory>

  </VirtualHost>
</IfModule>
nuxsmin commented 5 years ago

I can't figure out why it isn't working as expected, since the first directory block should deny access to other files

schleyk commented 5 years ago

can you reproduce the problem?

nuxsmin commented 5 years ago

It might be caused by the regular expression, which needs to match empty URLs too and it would let to use other URLs which don't include index or api

nuxsmin commented 5 years ago

Not reproducible on demo site (it runs on Docker)

http://demo-beta.syspass.org:10080/app/config/config.xml