/doc is browsable

A vulnerability scan was conducted on Jitsi to find that it was possible to browse the /doc file.

  • Is this intentional?
    Can this be addressed to make the software safer?
    I was told to go to access.conf: <Directory /usr/doc> AllowOverride None order deny, allow deny from all allow from localhost

Interesting. How do you browse it? If I try to access /doc on my instances (one Nginx, one Apache), it just joins me to a meeting, and if I try to access /doc/ I get a 404 on both Apache and Nginx.

I’m not 100% how to… but I’m just told that this could be done and needed to be fixed. I just wasn’t sure exactly how to do it and then thought I would share the information on this forum so it could be addressed in a future update perhaps?

If you can get more details, that would be helpful.

The mitigation you posted, with /usr/doc, doesn’t make much sense. That’s not a path on most Linux systems, and it’s not a Jitsi-specific path either.

If it’s a general system directory that’s browsable, it’s not so much a Jitsi issue as a normal system configuration issue. If the Jitsi doc directory is browsable, that’s an easy fix, I just can’t seem to reproduce the issue on either of my installs.

Hi @Syonyk
This folder /usr/share/jitsi/doc
It’s the folder inside the project.
When I copied the project to a different location ie. /usr/share/conference/jitsi I had to add the <Directory /usr/share/conference/jitsi/doc > to the apache2/conf-enabled/security.conf file.

File a bug, but… I’m not sure what the issue really is. If you’re moving things around, yeah, you’ll have to update config files to cover the new locations.