roller-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dave <snoopd...@gmail.com>
Subject Security vulnerability in Roller Admin Protocol (RAP)
Date Sat, 05 Apr 2008 18:35:46 GMT
There is a security vulnerability in Roller Admin Protocol (RAP),
which is an experimental web services protocol that allows remote
clients to provision Roller users and weblogs. The RAP feature is
marked as experimental in the Roller properties file and is turned off
by default. Until this problem is fixed, you should NOT enable RAP on
your Roller site.

Here is the relevant section of the roller.properties file:
   # Atom-like Admin Publishing Protocol (AAPP) - this is an experimental admin
   # protocol based on ideas from the Atom protocol.
   # Intended only for interoperability testing. DO NOT ENABLE IN PRODUCTION!
   webservices.adminprotocol.enabled=false

This vulnerability is being tracked as ROL-1701. It has been fixed in
the Roller SVN trunk and roller_4.0 branches, but there is currently
no release available that contains this fix. The code changes are
linked to from the bug report below:

   https://issues.apache.org/roller/browse/ROL-1701

- Dave

Mime
View raw message