Project

General

Profile

Actions

Bug #9513

closed

Privilege bypass due to relative paths in URL after initial page filename

Added by Jim Pingle about 3 years ago. Updated about 3 years ago.

Status:
Resolved
Priority:
Urgent
Assignee:
Category:
Web Interface
Target version:
Start date:
05/09/2019
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
All
Affected Architecture:
All

Description

N.B.: I have not yet managed to reproduce this, adding it based on a user report.

Due to the way the privilege system matches pages with wildcards, if the user can feed a relative URL to the server it may be able to bypass a check to reach a page they otherwise couldn't access.

For example, if the user has access to status_interfaces.php, but they want to reach diag_backup.php, they can send a request for "status_interfaces.php/../diag_backup.php".

However, few if any clients allow this type of syntax. Most automatically correct the relative path request, and even CLI clients such as cURL and wget remove the relative reference. There may be some proxies such as burpsuite which may be leveraged to send the path in that way (unconfirmed, but suggested by the reporter).

The attached patch should correct the problem, but without being able to reproduce it, we can't confirm the fix, so I have not yet committed it.


Files

priv-match-fixes.diff (2.45 KB) priv-match-fixes.diff Jim Pingle, 05/09/2019 03:44 PM
Actions

Also available in: Atom PDF