cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 23949] - Security : Directory traversal in "view-source"
Date Thu, 23 Oct 2003 14:32:57 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=23949>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=23949

Security : Directory traversal in "view-source"





------- Additional Comments From leo.sutic@inspireinfrastructure.com  2003-10-23 14:32 -------
Just to summarize to get a nice endcap to all this - the vulnerability report 
is at:

    http://www.securiteam.com/securitynews/6W00L0U8KC.html

The vulnerability can be summed up as follows:

If...

   ...you run any of the affected versions, and...
   ...you have the Cocoon samples installed, then...

...you are vulnerable.

So if you either run a non-vulnerable version, or do not have samples 
installed, you're fine. For reference, the offensive part is here:

   <!-- ========================= Utilities ================================ -->

   <map:match pattern="view-source">
    <!-- colourize files that are known to be XML -->
    <map:match type="filename" pattern="((xml)|(xsp)|(xmap)|(xconf))$">
       <map:generate src="common/view-source.xsp" type="serverpages"/>
       <map:serialize/>
    </map:match>
    <!-- all other files are just send as text -->
    <map:read mime-type="text/plain" src="../{request-param:filename}"/>
   </map:match>

I.e. if you accept a request parameter and send back whatever file that 
parameter points to, then you have a problem.

Mime
View raw message