Project

General

Profile

Actions

Bug #5203

closed

Directory transversal in Configuration History

Added by Fernando Munoz about 6 years ago. Updated about 6 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Web Interface
Target version:
Start date:
09/24/2015
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
All
Affected Architecture:
All

Description

getcfg parameter doesn't filter chars with as .. or / this way an admin can retrieve other XML files from the system.

- https://localhost:9090/diag_confbak.php?getcfg=../../../../../../../../cf/conf/config

I don't think it's critical since the admin could still download the current config or any other files from other places or SSH, but still you may want to get it fixed.

Actions #1

Updated by Jim Pingle about 6 years ago

  • Subject changed from Directory transversal - Config backup to Directory transversal in Configuration History
  • Category set to Web Interface
  • Status changed from New to Feedback
  • Assignee set to Jim Pingle
  • Target version set to 2.2.5
  • Affected Version set to All
  • Affected Architecture All added
  • Affected Architecture deleted ()

I pushed a fix for this just now. It doesn't appear to be a security problem since the code in question is limited to reading only filenames ending in .xml. The only .xml files with sensitive info on the box are the config.xml files and this page can already read them without any path alterations.

Thanks for the submission, though. In the future, please report any suspected security issues to so that we can handle them more appropriately.

Actions #2

Updated by Jim Pingle about 6 years ago

  • % Done changed from 0 to 100
Actions #3

Updated by Jim Pingle about 6 years ago

Actions #4

Updated by Chris Buechler about 6 years ago

  • Status changed from Feedback to Resolved

fixed

Actions

Also available in: Atom PDF