jetlib.sec » Bugtraq » Puppet Dashboard insecure by default

Feeds

132969 items (1 unread) in 27 feeds

• 1337day (was: Inj3ct0r, 1337db)
• OSVDB Vulnerabilities
• Exploit-DB
• SecurityFocus Vulnerabilities (1 unread)
• Bugtraq
• Full Disclosure
• XSSed
• Packet Storm Security Headlines
• Packet Storm Security Advisories
• Packet Storm Security Exploits
• Packet Storm Security Recent Files
• Packet Storm Security Tools
• Packet Storm Security Misc. Files
• Sophos security news
• Sophos product advisories
• Penetration Testing
• SecuriTeam
• BackTrack Linux Forums
• Threatpost
• SecDocs
• carnal0wnage.attackresearch.com
• Carnal0wnage
• Kernel Fun
• Darknet
• The Exploitant
• Hack a Day
• Wirevolution

Bugtraq

• February 17, 2012
• 

  Puppet Dashboard insecure by default

  Posted: February 17th, 2012, 9:24am PST

  Tags:   

  Posted by Schweiss, Chip on Feb 17

  Apparently, leaving all security up to the end user is okay with Puppet Labs.
  
  I stumbled across some rather alarming search results when looking for
  an explanation to a message on my own dashboard:
  
  http://goo.gl/m99l6
  
  There are numerous Puppet Dashboard's exposed directly to the Internet
  and indexed by Google.  By default Dashboard runs on port 3000, so
  these are only sites that have reconfigured to run on port 80.  A
  machine search for...