[security advisory] http://wiki.nginx.org/Redmine

Edho Arief me at myconan.net
Mon Mar 9 14:48:58 UTC 2015


On Mon, Mar 9, 2015 at 11:44 PM, Gena Makhomed <gmm at csdoc.com> wrote:
> On 08.03.2015 22:50, Francis Daly wrote:
>
>>> webpage http://wiki.nginx.org/Redmine has some security problems:
>>>
>>> 1. All redmine config files are available for anybody in internet,
>>> for example: https://redmine.example.com/config/database.yml
>>> contains in plain text login and password for database connection.
>>
>>
>> I don't think that one is an nginx problem.
>>
>
> Yes, this is not nginx problem. This is nginx configuration problem,
> which provided at wiki.nginx.org as "drop in configuration" for redmine.
>
>> From reading the redmine docs, it looks like the contents of the "root"
>> directive directory should be whatever is in the distributed redmine
>> public/ directory; not the entire installation including configuration.
>

It's a public wiki, not some official documentation. If there's error
you can just go ahead and change it.



More information about the nginx mailing list