You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@roller.apache.org by Dave <sn...@gmail.com> on 2008/04/05 20:35:46 UTC

Security vulnerability in Roller Admin Protocol (RAP)

There is a security vulnerability in Roller Admin Protocol (RAP),
which is an experimental web services protocol that allows remote
clients to provision Roller users and weblogs. The RAP feature is
marked as experimental in the Roller properties file and is turned off
by default. Until this problem is fixed, you should NOT enable RAP on
your Roller site.

Here is the relevant section of the roller.properties file:
   # Atom-like Admin Publishing Protocol (AAPP) - this is an experimental admin
   # protocol based on ideas from the Atom protocol.
   # Intended only for interoperability testing. DO NOT ENABLE IN PRODUCTION!
   webservices.adminprotocol.enabled=false

This vulnerability is being tracked as ROL-1701. It has been fixed in
the Roller SVN trunk and roller_4.0 branches, but there is currently
no release available that contains this fix. The code changes are
linked to from the bug report below:

   https://issues.apache.org/roller/browse/ROL-1701

- Dave