SYSTEM WARNING: 'date_default_timezone_get(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone.' in '/usr/share/mantis/www/core.php' line 264

0002866: System access allowed from everywhere - MantisBT Endian Bugtracker
Endian Issue Tracker





Please see now our new Bugtracker system: JIRA








View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0002866Endian FirewallSecuritypublic2010-04-24 12:232010-06-07 10:56
Reportergabrielakos 
Assigned Topeter-endian 
PrioritynormalSeveritymajorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version2.3 
Target VersionFixed in Version2.4 
Summary0002866: System access allowed from everywhere
DescriptionI tried to allow SSH from 2 ip addresses like a.b.c.d and in the second row e.f.g.h but SSH to endian was possible from everywhere. This allowed an attacker to try a lot of passwords against our firewall. (serious security threat).
As I removed the second IP, the rule was enforced correctly, access was possible from that one IP only.
This problem with the multiple IPs appears only at system access, portforwarding/nat screen is working correctly (as far as I have tested).
 
TagsNo tags attached.
Attached Files

- Relationships

-  Notes
(0004178)
baldy (reporter)
2010-04-25 13:33

It also happens when allowing other protocols in system access.

As soon as you add a second ip address and press Enter after the second ip all access is allowed. If you do not enter after the second ip the rule works as it should.

Looks like the enter is added as well as the ip addresses thus creating a rule allowing all.

When testing I found that if you use only one ip address and press enter after that the enter is trimmed off and no longer there when re editing the rule.
With two or more ip addresses the enter is not trimmed off.

Regards,

Klaas-Jan

- Issue History
Date Modified Username Field Change
2010-04-24 12:23 gabrielakos New Issue
2010-04-25 13:33 baldy Note Added: 0004178
2010-06-07 10:56 peter-endian Status new => resolved
2010-06-07 10:56 peter-endian Fixed in Version => 2.4
2010-06-07 10:56 peter-endian Resolution open => fixed
2010-06-07 10:56 peter-endian Assigned To => peter-endian
2010-06-07 10:56 peter-endian Status resolved => closed

Copyright © 2005-2008 Endian, SRL. All rights reserved.


Copyright © 2000 - 2012 MantisBT Group
Powered by Mantis Bugtracker