View Issue Details

IDProjectCategoryView StatusLast Update
0000887savapage-server[All Projects] Securitypublic2018-04-30 16:11
ReporterrijkrAssigned Torijkr 
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
Product Version0.9.12 
Target Version1.0.0Fixed in Version1.0.0 
Summary0000887: Enhance private JSON-RPC security
DescriptionIST: savapage-cmd uses the server hostname as JSON-RPC end-point. As a result the servlet resolves the remote address to local loop address 127.0.0.1, which is accepted as such. This introduces a security risk, when remote access to SavaPage is proxied e.g. by Apache redirect, since in this case remote address is 127.0.0.1 in all cases.
SOLL: savapage-cmd must use the server IP address as end-point. As a result the JSON-RPC servlet resolves the remote address to this same address, and can thereby restrict access to private calls to this address only.
TagsNo tags attached.

Activities

There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2017-11-03 10:01 rijkr New Issue
2017-11-03 10:01 rijkr Status new => assigned
2017-11-03 10:01 rijkr Assigned To => rijkr
2017-11-03 10:01 rijkr Status assigned => resolved
2017-11-03 10:01 rijkr Resolution open => fixed
2017-11-03 10:01 rijkr Fixed in Version => 1.0.0
2018-04-30 16:11 rijkr Status resolved => closed