You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Document can be downloaded regardless of its security settings (staff only or admin only). (For example, if latest items or search result page shows the document thumbnail and the thumbnail links to the document file, the file can be downloaded without the need to login)
Initial investigation indicates that this is a library issue with mod_perl (mod_perl 2.09 against apache 2.4)
in cfg.d/security.pl, the following line is giving error and making the security checking function to return prematurely, which subsequently allowing anyone to download a restricted document
my $ip = $r->connection()->remote_ip();
The machine detail:
CentOS Linux release 7.0.1406 (Core)
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"
CentOS Linux release 7.0.1406 (Core)
Apache version:
Server version: Apache/2.4.6 (CentOS)
Server built: Jan 12 2015 13:22:31
mod_perl version: 2.000009
A temp fix is to commend out the line from the security.pl.
This fix implies that the IP based authentication (e.g. campus ip can download the document without needing to log in) would no longer working
The text was updated successfully, but these errors were encountered:
Document can be downloaded regardless of its security settings (staff only or admin only). (For example, if latest items or search result page shows the document thumbnail and the thumbnail links to the document file, the file can be downloaded without the need to login)
Initial investigation indicates that this is a library issue with mod_perl (mod_perl 2.09 against apache 2.4)
in cfg.d/security.pl, the following line is giving error and making the security checking function to return prematurely, which subsequently allowing anyone to download a restricted document
my $ip = $r->connection()->remote_ip();
The machine detail:
CentOS Linux release 7.0.1406 (Core)
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"
CentOS Linux release 7.0.1406 (Core)
Apache version:
Server version: Apache/2.4.6 (CentOS)
Server built: Jan 12 2015 13:22:31
mod_perl version: 2.000009
A temp fix is to commend out the line from the security.pl.
This fix implies that the IP based authentication (e.g. campus ip can download the document without needing to log in) would no longer working
The text was updated successfully, but these errors were encountered: