[web2py] Re: IMPORTANT SECURITY ISSUE
yes.
On Thursday, 17 March 2016 18:01:59 UTC-5, Antonio Salazar wrote:
>
> Since this is not a vulnerability, can Examples be simply disabled?
>
> On Tuesday, March 15, 2016 at 10:43:24 AM UTC-6, Massimo Di Pierro wrote:
>>
>> An important security issue has come up.
>>
>> If you use web2py in production with the rocket web server (which you
>> should not anyway):
>> 1) delete the "examples" app
>> 2) make sure you pages do not expose the {{=response.toolbar}}
>>
>> Please follow the above guidelines because exposing internal system
>> status may help attackers gain confidential information about your system.
>> The web2py in trunk will prevent the information leakage by default but
>> removing "examples" is the safest way.
>>
>> If you use nginx or apache or other wsgi server there is no problem but
>> you may still want to follow the above rules in production.
>>
>> Massimo
>>
>>
>>
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[web2py] Re: IMPORTANT SECURITY ISSUE
Since this is not a vulnerability, can Examples be simply disabled?
On Tuesday, March 15, 2016 at 10:43:24 AM UTC-6, Massimo Di Pierro wrote:
>
> An important security issue has come up.
>
> If you use web2py in production with the rocket web server (which you
> should not anyway):
> 1) delete the "examples" app
> 2) make sure you pages do not expose the {{=response.toolbar}}
>
> Please follow the above guidelines because exposing internal system status
> may help attackers gain confidential information about your system.
> The web2py in trunk will prevent the information leakage by default but
> removing "examples" is the safest way.
>
> If you use nginx or apache or other wsgi server there is no problem but
> you may still want to follow the above rules in production.
>
> Massimo
>
>
>
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
