Uploaded image for project: 'Openfire'
  1. Openfire
  2. OF-1886

Plugin servlet should not provide access to all files on the host

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 4.4.3
    • Component/s: Admin Console
    • Labels:
      None

      Description

      As reported by Shvetsov Alexander (Positive Technologies):

      A path traversal attack (also known as directory traversal) aims to access files and directories that are stored outside the web root folder. By manipulating variables that reference files with "dot-dot-slash (../)" sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system including application source code or configuration and critical system files. It should be noted that access to files is limited by system operational access control (such as in the case of locked or in-use files on the Microsoft Windows operating system).

      An attacker can inject a path to local files after "plugin/<some symbols>/" in this URL. This vulnerability can be exploited only on windows platform (because it is necessary to use "\" symbol as file system path separator).

      Attacks can include disclosing local files, which may contain sensitive data such as passwords or private user data. If the targeted file is used for a security mechanism, then the attacker may be able to bypass that mechanism. For example, by reading a password file, the attacker could conduct brute force password guessing attacks in order to break into an account on the system.

        Attachments

          Activity

            People

            Assignee:
            guus Guus der Kinderen
            Reporter:
            guus Guus der Kinderen
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: