Rare project developers

[mc36 <>]

hi,
it was a bug in the http software providing the page... the bug is fixed by 
the below commit:
https://github.com/rare-freertr/freeRtr/commit/c898cd5dfd9329316787c8e24f553746445bea24
and for now i get "not found" for the cooked url.. could you please redo the 
investigation?
fl: maybe a reinstall or at least a password change sounds a good idea as 
suggested by tim?
tim: thanks for reporting, i've added you to the greetings page in return: 
http://www.freertr.org/greet.html
thanks,
cs

On 11/25/22 10:40, Tim Waters wrote:
> Hi Csaba,
>
> We have received a Local File Inclusion vulnerability report on 
> amt-relay.geant.org.
>
> It is possible to read files on the server through the webserver.
>
> http://amt-relay.geant.org/..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd 
> <http://amt-relay.geant.org/..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd>
>
> I suspect this to either be:
>
>  1. A configuration error in nginx ( nginx config uses / as root, but that 
> should probably be something different )
>  2. A bug in the software.
>
> Could you please:
>
> 1.investigate the cause of this vulnerability, and report back?
>
> 2.do some preliminary investigation whether the system has been altered by 
> some one
>
> 3.If the vulnerability has been fixed, please change all passwords because they might have been compromised ( I noticed users root, p4 and your user account having a password in 
> the shadow file )
>
> If you need any help or advise in doing the above, please let me know.
>
> Met vriendelijke groet/best regards,
>
> Tim Waters
> Senior (Information) Security Officer,  Amsterdam Office
> G  ANT
> T:     +(31)  (20) 5304488
> M:   +(31) (0)  651776721
> Networks     Services     People
> Learn more at www.geant.org <http://www.geant.org/>
>
> *Working days: Monday, Tuesday, Wednesday & Friday.*
>
> G  ANT  Vereniging  (Association) is registered with the Chamber of Commerce in Amsterdam with registration number 40535155 and operates in the UK as a branch of 
> G  ANT  Vereniging.  Registered office: Hoekenrode 3, 1102BR Amsterdam, The Netherlands. UK branch address: City House, 126-130 Hills Road, Cambridge CB2 1PQ, UK.
> --------------------------------------------------------------------
> The information in this email and in any attachments with it is intended for the addressee(s) only and may include personal or confidential information that is legally privileged. 
> Use of this information by individuals other than the addressee(s) and by individuals who are not authorised to access the information is prohibited. If you are not the addressee 
> or are not authorised to access the information, then its disclosure, reproduction, distribution and/or provision to third parties is not permitted and you are requested to send 
> this email back to us and to delete the original.
>
> *From: *Fr  d  ric LOUI <>
> *Date: *Friday, 25 November 2022 at 10:36
> *To: *mc36 <>
> *Cc: *Tim Waters <>
> *Subject: *Security report received from amt-relay.geant.org
>
> Hi Csaba,
>
> I hope you are doing well.
> Tim Waters from GEANT security would like to interact with you WRT a 
> vulnerability report he received.
>
> @Tim, feel free to engage with Csaba RARE/freeRTr lead developer.
>
> All the best,
> Frederic