View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0000887 | savapage-server | [All Projects] Security | public | 2017-11-03 10:01 | 2018-04-30 16:11 |
| Reporter | rijkr | Assigned To | rijkr | ||
| Priority | normal | Severity | minor | Reproducibility | always |
| Status | closed | Resolution | fixed | ||
| Product Version | 0.9.12 | ||||
| Target Version | 1.0.0 | Fixed in Version | 1.0.0 | ||
| Summary | 0000887: Enhance private JSON-RPC security | ||||
| Description | IST: savapage-cmd uses the server hostname as JSON-RPC end-point. As a result the servlet resolves the remote address to local loop address 127.0.0.1, which is accepted as such. This introduces a security risk, when remote access to SavaPage is proxied e.g. by Apache redirect, since in this case remote address is 127.0.0.1 in all cases. SOLL: savapage-cmd must use the server IP address as end-point. As a result the JSON-RPC servlet resolves the remote address to this same address, and can thereby restrict access to private calls to this address only. | ||||
| Tags | No tags attached. | ||||
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2017-11-03 10:01 | rijkr | New Issue | |
| 2017-11-03 10:01 | rijkr | Status | new => assigned |
| 2017-11-03 10:01 | rijkr | Assigned To | => rijkr |
| 2017-11-03 10:01 | rijkr | Status | assigned => resolved |
| 2017-11-03 10:01 | rijkr | Resolution | open => fixed |
| 2017-11-03 10:01 | rijkr | Fixed in Version | => 1.0.0 |
| 2018-04-30 16:11 | rijkr | Status | resolved => closed |
