unAuthenticated users can see All X509 certs

Home Page Forums Network Management ZeroShell unAuthenticated users can see All X509 certs

This topic contains 1 reply, has 0 voices, and was last updated by  gkankanh 8 years, 5 months ago.

Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
    Posts
  • #42706

    gkankanh
    Member

    Hi
    Unauthenticated users are able to see the X.509 certs for all users in the system. I think this is a major security flaw.
    How do you disable it? I am trying to figure out the exact script that is generating this list. If you already know it save me some digging!!!
    All help appreciated
    GK

    #51263

    atheling
    Member

    Not really a security flaw per se. The certificates contain the public key for the individual. That should not be a security risk. The whole idea of public keys is that they can be public.

    I think the issue is that it exposes your user list which allows for phishing attempts.

    For myself, I think that any directory server should not be accessible from outside your organization. If you are setting up users on Zeroshell then you are using it as a directory server and the home screen on it should not be accessible from outside your organization.

    Inside your organization having your users visible should not be too big an issue.

    #51264

    imported_fulvio
    Participant

    In any case the beta 13 allows to disable the unauthenticated certificate list.

    Regards
    Fulvio

Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.