cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 23949] New: - Security : Directory traversal in "view-source"
Date Mon, 20 Oct 2003 17:45:39 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=23949>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=23949

Security : Directory traversal in "view-source"

           Summary: Security : Directory traversal in "view-source"
           Product: Cocoon 2
           Version: 2.1.2
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Critical
          Priority: Other
         Component: general components
        AssignedTo: dev@cocoon.apache.org
        ReportedBy: thierry.deleeuw@advalvas.be


http://a_Host.com:8888/samples/view-source?filename=../../../boot.ini allows 
to download the "boot.ini" file (located in the root of C drive under Window 
NT/2000/XP).

I know this is only a sample script but unfortunately a lot of people do 
install their production machines with samples installed...

A check on the filename should be done.

Mime
View raw message