You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@maven.apache.org by "Tom Cort (JIRA)" <ji...@codehaus.org> on 2007/08/24 18:14:48 UTC

[jira] Created: (CONTINUUM-1412) File Inclusion Vulnerability

File Inclusion Vulnerability
----------------------------

                 Key: CONTINUUM-1412
                 URL: http://jira.codehaus.org/browse/CONTINUUM-1412
             Project: Continuum
          Issue Type: Bug
          Components: Security
    Affects Versions: 1.1-beta-2
         Environment: Java version: 1.5.0_10
OS name: "linux" version: "2.6.16.49-xen-osl4-ipsec-domu" arch: "i386"
            Reporter: Tom Cort
            Priority: Critical
         Attachments: continuum.JPG

The value of the userDirectory variable used when calling workingCopy.action is not filtered properly. This gives anyone who can access workingCopy.action the ability to read any file on the file system with the permissions that jetty is running as.

For example, let's say we have continuum installed in /usr/local/continuum. Say we have a project named build-tools with a projectId of 10. Using the following URL, I can display the contents of /proc/version (see attached screenshot).

http://some-server.domain.com:8080/continuum/workingCopy.action?projectId=10&projectName=build-tools&userDirectory=../../../../../../../../../proc/&file=version

This is really bad if the user is running continuum as root because it gives the attacker access to every file on the file system.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] Closed: (CONTINUUM-1412) File Inclusion Vulnerability

Posted by "Emmanuel Venisse (JIRA)" <ji...@codehaus.org>.

     [ http://jira.codehaus.org/browse/CONTINUUM-1412?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Emmanuel Venisse closed CONTINUUM-1412.
---------------------------------------

      Assignee: Emmanuel Venisse
    Resolution: Fixed

Applied, thanks.

> File Inclusion Vulnerability
> ----------------------------
>
>                 Key: CONTINUUM-1412
>                 URL: http://jira.codehaus.org/browse/CONTINUUM-1412
>             Project: Continuum
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 1.1-beta-2
>         Environment: Java version: 1.5.0_10
> OS name: "linux" version: "2.6.16.49-xen-osl4-ipsec-domu" arch: "i386"
>            Reporter: Tom Cort
>            Assignee: Emmanuel Venisse
>            Priority: Critical
>             Fix For: 1.1-beta-3
>
>         Attachments: CONTINUUM-1412.patch, continuum.JPG
>
>
> The value of the userDirectory variable used when calling workingCopy.action is not filtered properly. This gives anyone who can access workingCopy.action the ability to read any file on the file system with the permissions that jetty is running as.
> For example, let's say we have continuum installed in /usr/local/continuum. Say we have a project named build-tools with a projectId of 10. Using the following URL, I can display the contents of /proc/version (see attached screenshot).
> http://some-server.domain.com:8080/continuum/workingCopy.action?projectId=10&projectName=build-tools&userDirectory=../../../../../../../../../proc/&file=version
> This is really bad if the user is running continuum as root because it gives the attacker access to every file on the file system.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] Updated: (CONTINUUM-1412) File Inclusion Vulnerability

Posted by "Emmanuel Venisse (JIRA)" <ji...@codehaus.org>.

     [ http://jira.codehaus.org/browse/CONTINUUM-1412?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Emmanuel Venisse updated CONTINUUM-1412:
----------------------------------------

    Fix Version/s: 1.1-beta-3

> File Inclusion Vulnerability
> ----------------------------
>
>                 Key: CONTINUUM-1412
>                 URL: http://jira.codehaus.org/browse/CONTINUUM-1412
>             Project: Continuum
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 1.1-beta-2
>         Environment: Java version: 1.5.0_10
> OS name: "linux" version: "2.6.16.49-xen-osl4-ipsec-domu" arch: "i386"
>            Reporter: Tom Cort
>            Priority: Critical
>             Fix For: 1.1-beta-3
>
>         Attachments: continuum.JPG
>
>
> The value of the userDirectory variable used when calling workingCopy.action is not filtered properly. This gives anyone who can access workingCopy.action the ability to read any file on the file system with the permissions that jetty is running as.
> For example, let's say we have continuum installed in /usr/local/continuum. Say we have a project named build-tools with a projectId of 10. Using the following URL, I can display the contents of /proc/version (see attached screenshot).
> http://some-server.domain.com:8080/continuum/workingCopy.action?projectId=10&projectName=build-tools&userDirectory=../../../../../../../../../proc/&file=version
> This is really bad if the user is running continuum as root because it gives the attacker access to every file on the file system.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] Updated: (CONTINUUM-1412) File Inclusion Vulnerability

Posted by "Tom Cort (JIRA)" <ji...@codehaus.org>.

     [ http://jira.codehaus.org/browse/CONTINUUM-1412?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Tom Cort updated CONTINUUM-1412:
--------------------------------

    Attachment: CONTINUUM-1412.patch

Here's a patch that fixes the problem. It compiles, all unit tests pass, and continuum works. I tested adding a project and it correctly prevented me from use "../" in paths.

> File Inclusion Vulnerability
> ----------------------------
>
>                 Key: CONTINUUM-1412
>                 URL: http://jira.codehaus.org/browse/CONTINUUM-1412
>             Project: Continuum
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 1.1-beta-2
>         Environment: Java version: 1.5.0_10
> OS name: "linux" version: "2.6.16.49-xen-osl4-ipsec-domu" arch: "i386"
>            Reporter: Tom Cort
>            Priority: Critical
>             Fix For: 1.1-beta-3
>
>         Attachments: CONTINUUM-1412.patch, continuum.JPG
>
>
> The value of the userDirectory variable used when calling workingCopy.action is not filtered properly. This gives anyone who can access workingCopy.action the ability to read any file on the file system with the permissions that jetty is running as.
> For example, let's say we have continuum installed in /usr/local/continuum. Say we have a project named build-tools with a projectId of 10. Using the following URL, I can display the contents of /proc/version (see attached screenshot).
> http://some-server.domain.com:8080/continuum/workingCopy.action?projectId=10&projectName=build-tools&userDirectory=../../../../../../../../../proc/&file=version
> This is really bad if the user is running continuum as root because it gives the attacker access to every file on the file system.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira