View Issue Details

Jump to NotesJump to History
This bug affects 2 person(s).
 260
IDProjectCategoryView StatusDate SubmittedLast Update
17580Bug reportsSecuritypublic2021-09-08 13:022021-09-09 08:36
ReporterMazi Assigned Togalads  
PrioritynoneSeverityminor 
Status confirmedResolutionopen 
Product Version3.25.20 
Summary17580: readme and release note are publicly accessible and can reveal version details to attackers
Description

The readme and for some systems the release note details can be accessed publicly (example: https://ls3.my-survey.host/README.md or https://demo.limesurvey.org/docs/release_notes.txt). This could reveal version details to attackers.

Should we extend the .htaccess file to not make these accessible from the web?

TagsNo tags attached.
Bug heat260
Complete LimeSurvey version number (& build)3.22.10+200323
I will donate to the project if issue is resolvedNo
BrowserChrome
Database type & versionMySQL
Server OS (if known)Ubuntu 20
Webserver software & version (if known)Apache
PHP Version7.2.24

Users monitoring this issue

There are no users monitoring this issue.

Activities

DenisChenu

DenisChenu

2021-09-08 14:58

developer   ~66404

It's false for docs/* (with apache)
https://github.com/LimeSurvey/LimeSurvey/blob/master/docs/.htaccess

Must be added in nginx part for manual https://manual.limesurvey.org/General_FAQ#With_nginx_webserver
And : https://manual.limesurvey.org/Installation_security_hints#Web_server_restriction
c_schmitz

c_schmitz

2021-09-09 08:32

administrator   ~66411

I think you can figure out the major version by just looking at the login and code, so I am not so worried about the README, but I agree that the changelog should be either renamed (maybe *.php with a die()) or removed.

Issue History

Date Modified Username Field Change
2021-09-08 13:02 Mazi New Issue
2021-09-08 14:58 DenisChenu Note Added: 66404
2021-09-08 14:58 DenisChenu Bug heat 250 => 252
2021-09-09 08:32 c_schmitz Note Added: 66411
2021-09-09 08:32 c_schmitz Bug heat 252 => 254
2021-09-09 08:32 guest Bug heat 254 => 260
2021-09-09 08:36 galads Assigned To => galads
2021-09-09 08:36 galads Status new => confirmed