Directory transversal in Configuration History
getcfg parameter doesn't filter chars with as .. or / this way an admin can retrieve other XML files from the system.
I don't think it's critical since the admin could still download the current config or any other files from other places or SSH, but still you may want to get it fixed.
Ensure this only contains a partial name, not a path, before attempting to craft a full name and read the file. Fixes #5203.
#1 Updated by Jim Pingle almost 5 years ago
- Subject changed from Directory transversal - Config backup to Directory transversal in Configuration History
- Category set to Web Interface
- Status changed from New to Feedback
- Assignee set to Jim Pingle
- Target version set to 2.2.5
- Affected Version set to All
- Affected Architecture All added
- Affected Architecture deleted (
I pushed a fix for this just now. It doesn't appear to be a security problem since the code in question is limited to reading only filenames ending in .xml. The only .xml files with sensitive info on the box are the config.xml files and this page can already read them without any path alterations.
Thanks for the submission, though. In the future, please report any suspected security issues to email@example.com so that we can handle them more appropriately.