Bug #13425
closed
Invalid alias name can still be used by code attempting to validate URL table content
Added by Jim Pingle over 2 years ago.
Updated almost 2 years ago.
Category:
Aliases / Tables
Plus Target Version:
23.01
Description
When validating an alias on save, the name is checked for validity, however the name is still used during validation by process_alias_urltable()
.
The name is used as-is for a filename which means it may include invalid components such as ../
, |
and other characters to traverse paths and create arbitrary files.
- Status changed from New to Feedback
- % Done changed from 0 to 100
- Plus Target Version changed from 22.11 to 23.01
when attempting to save an alias in 23.01.a.20221111.0600 include an additional / at the end of a URL results in
PHP ERROR: Type: 1, File: /etc/inc/util.inc, Line: 3863, Message: Maximum execution time of 900 seconds exceeded @ 2022-11-12 18:00:31
Jordan Greene wrote in #note-3:
when attempting to save an alias in 23.01.a.20221111.0600 include an additional / at the end of a URL results in
[...]
That was unrelated to this, it was a separate regression. See #13685
- Status changed from Feedback to Resolved
Attempting a previously working exploit no longer creates an arbitrary file. Marking resolved.
- Private changed from Yes to No
Also available in: Atom
PDF