[
http://jira.codehaus.org/browse/CONTINUUM-1412?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Tom Cort updated CONTINUUM-1412:
--------------------------------
Attachment: CONTINUUM-1412.patch
Here's a patch that fixes the problem. It compiles, all unit tests pass, and
continuum works. I tested adding a project and it correctly prevented me from
use "../" in paths.
> File Inclusion Vulnerability
> ----------------------------
>
> Key: CONTINUUM-1412
> URL: http://jira.codehaus.org/browse/CONTINUUM-1412
> Project: Continuum
> Issue Type: Bug
> Components: Security
> Affects Versions: 1.1-beta-2
> Environment: Java version: 1.5.0_10
> OS name: "linux" version: "2.6.16.49-xen-osl4-ipsec-domu" arch: "i386"
> Reporter: Tom Cort
> Priority: Critical
> Fix For: 1.1-beta-3
>
> Attachments: CONTINUUM-1412.patch, continuum.JPG
>
>
> The value of the userDirectory variable used when calling workingCopy.action
> is not filtered properly. This gives anyone who can access workingCopy.action
> the ability to read any file on the file system with the permissions that
> jetty is running as.
> For example, let's say we have continuum installed in /usr/local/continuum.
> Say we have a project named build-tools with a projectId of 10. Using the
> following URL, I can display the contents of /proc/version (see attached
> screenshot).
> http://some-server.domain.com:8080/continuum/workingCopy.action?projectId=10&projectName=build-tools&userDirectory=../../../../../../../../../proc/&file=version
> This is really bad if the user is running continuum as root because it gives
> the attacker access to every file on the file system.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
