Bug #13
Themes allow access to any file on the web server
| Status : | Closed | Start : | ||
| Priority : | Urgent | Due date : | ||
| Assigned to : | tobi - | % Done : | 0% |
|
| Category : | backend | |||
| Target version : | 2.5 | |||
| Resolution : | fixed |
Description
Using a non-standard theme path it is possible to fetch any file on the webserver (that the CGI process can read), including the database.yml file.
Simply use the following URL:
http://my-blog.domain.com/theme/images?filename=../../../config/database.yml
The file parameter in ThemeController#render_theme_item seriously needs to be sanitized. I would suggest returning an error if the file parameter contains any slashes (or equals "." or "..", but those don't work by themselves anyway).
History
07/29/2005 08:13 AM - scoop -
- Status changed from New to Closed
- Resolution set to fixed
(In r470) Fixed security vulnerability in ThemeController due to missing sanitization of the filename parameter (closes #244)
PLEASE NOTE: This is by no means a catch-all fix. It'll disallow perfectly valid filenames on non-Windows operating systems. But in order to provide a timely fix that doesn't allow for exploitation on neither Windows nor non-Windows machines, this was found to be tolerable. It is also much more likely to have people with typo installations on Windows than people using filenames containing a forward slash followed by two consequtive periods followed by another forward slash in their naming for files destined for the Web.