1 Topic by jdelisle (edited by jdelisle 2015-11-27 05:44:22)

  • jdelisle
  • Member
  • Offline
  • Registered: 2015-11-27
  • Posts: 17

Topic: Access to cluebringing and awstats without authentication

Hello,

I'm working on a freshly installed iRedMail, and I'm noticing I can log in to both awstats and cluebringer WITHOUT being prompted to authenticated.

I believe this is obviously a security issue, but I'm not sure if it's a configuration issue on my system or where to look.

Any suggestions?


==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.2
- Linux/BSD distribution name and version: CentOS 7 with Wordpress, osTicket
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): OpenLDAP
- Web server (Apache or Nginx): Apache
- Manage mail accounts with iRedAdmin-Pro? Yes
- Related log if you're reporting an issue: Not provided
====

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by jdelisle

  • jdelisle
  • Member
  • Offline
  • Registered: 2015-11-27
  • Posts: 17

Re: Access to cluebringing and awstats without authentication

I think I found the issue.

The default configuration in the cluebringer and awstats config files in /etc/httpd/conf.d have a statement in them:

"Require all granted"

Commenting that out worked. 

Users are being authenticated as expected now.