Details
-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
14.5
-
None
-
Unknown
-
Description
Hi,
I just installed XWiki on Debian following https://www.xwiki.org/xwiki/bin/view/Documentation/AdminGuide/Installation/InstallationViaAPT/ using the xwiki-tomcat9-pgsql package.
After installation is finished, tomcat will start and bind to port 8080, as configured in server.xml of tomcat ( /etc/tomcat/server.xml ) lines 69-71.
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
If installed on an internet-facing system, this will result in the DistributionWizard being available to the world by default, allowing an albeit small window of abuse of the DistributionWizard by a malicious actor.
A more prudent way would be to bind to localhost by default, e.g. by changing line 69 of server.xml to the following
<Connector port="8080" protocol="HTTP/1.1" address="127.0.0.1"
and adding instructions to the installation guide on how to finish the installation using SSH port forwarding, or to delete address="127.0.0.1" from server.xml with the notice that this will expose the DistributionWizard to the world.
Thanks & kind regards,
Cyman