File Inclusion Vulnerability
----------------------------
Key: CONTINUUM-1412
URL: http://jira.codehaus.org/browse/CONTINUUM-1412
Project: Continuum
Issue Type: Bug
Components: Security
Affects Versions: 1.1-beta-2
Environment: Java version: 1.5.0_10
OS name: "linux" version: "2.6.16.49-xen-osl4-ipsec-domu" arch: "i386"
Reporter: Tom Cort
Priority: Critical
Attachments: continuum.JPG
The value of the userDirectory variable used when calling workingCopy.action is
not filtered properly. This gives anyone who can access workingCopy.action the
ability to read any file on the file system with the permissions that jetty is
running as.
For example, let's say we have continuum installed in /usr/local/continuum. Say
we have a project named build-tools with a projectId of 10. Using the following
URL, I can display the contents of /proc/version (see attached screenshot).
http://some-server.domain.com:8080/continuum/workingCopy.action?projectId=10&projectName=build-tools&userDirectory=../../../../../../../../../proc/&file=version
This is really bad if the user is running continuum as root because it gives
the attacker access to every file on the file system.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
