Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[3.4-pre15] JSF-Console xmleditor allows to read/(partial write) any files on system #356

Closed
stephanr opened this issue Aug 7, 2014 · 0 comments · Fixed by #1610
Closed

[3.4-pre15] JSF-Console xmleditor allows to read/(partial write) any files on system #356

stephanr opened this issue Aug 7, 2014 · 0 comments · Fixed by #1610
Assignees
@copierrj
Labels
bug error issue and bug (fix) console deegree administration console CVE Common Vulnerabilities and Exposures ready

Comments

@stephanr
Copy link
Member

stephanr commented Aug 7, 2014

If the Parameters to the xmleditor page of the deegree-jsf-console is set to a path outside the workspace a file could be read.

(requries that the tomcat user can read the file)

Example on Windows fileName=C:\VerryBadFileLikeEtcPasswd.txt
On Linux this maybe the /etc/passwd or a other security related file.

Full request:

http://localhost:8080/deegree-webservices/console/generic/xmleditor.xhtml?nextView=%2Fconsole%2Fwebservices%2Findex&id=null&fileName=C%3A\VerryBadFileLikeEtcPasswd.txt&schemaUrl=jar%3Afile%3A%2FC%3A%2Fworkspace%2Fdeegree3_ws_34cs%2F.metadata%2F.plugins%2Forg.eclipse.wst.server.core%2Ftmp0%2Fwtpwebapps%2Fdeegree-webservices%2FWEB-INF%2Flib%2Fdeegree-services-commons.jar!%2FMETA-INF%2Fschemas%2Fservices%2Fcontroller%2F3.2.0%2Fcontroller.xsd

The file could also be written to disk if the process has the right to and the file passes the xml-validation.

If a workspace is secured by a password, the xmleditor could not directly be invoked.

The File is directly read in org.deegree.console.generic.XmlEditorBean.getContent()
@stephanr stephanr added this to the 3.4 milestone Aug 7, 2014
@stephanr stephanr added the bug label Aug 7, 2014
@copierrj copierrj self-assigned this Aug 8, 2014
@copierrj copierrj added ready and removed in progress labels Aug 8, 2014
copierrj added a commit to copierrj/deegree3 that referenced this issue Aug 8, 2014
@copierrj
xml editor: fileName parameter behavior changed
74cd286 
It was possible to edit arbitrary files outside the workspaces root. The
fileName parameter is now relative to the workspaces root.

fixes deegree#356
@copierrj copierrj mentioned this issue Jan 10, 2015
Closed
@lgoltz lgoltz added the console deegree administration console label Jan 8, 2018
@tfr42 tfr42 removed this from the 3.4 milestone Apr 7, 2018
@tfr42 tfr42 added the CVE Common Vulnerabilities and Exposures label Nov 19, 2019
@copierrj copierrj mentioned this issue Dec 1, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@copierrj copierrj

Labels
bug error issue and bug (fix) console deegree administration console CVE Common Vulnerabilities and Exposures ready
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Make XmlEditorBean.fileName attribute relative to workspace root deegree/deegree3
4 participants
@tfr42 @copierrj @lgoltz @stephanr