Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

backup-edit traversal #969

Closed
tablatronix opened this issue Nov 29, 2014 · 1 comment
Closed

backup-edit traversal #969

tablatronix opened this issue Nov 29, 2014 · 1 comment
Labels
Bug SECURITY
Milestone
3.3.5

Comments

@tablatronix
Copy link
Member

backup-edit view and restore are susceptible to transversal injections.
It could be possible to read xml files on system or restore them , allowing renaming and possible fileextension changes.
@tablatronix
Copy link
Member Author

I couldn't get this to do much, but I can get it to restore old user files, and the fact that i can touch users/files is bad enough.

I can also convert user.xml.bak to user.bak.xml

and this is without null byte exploits which would allow alot more

@tablatronix tablatronix added this to the 3.3.5 milestone Dec 1, 2014
tablatronix added a commit that referenced this issue Dec 2, 2014
@tablatronix
fixes #969
3f0505d
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug SECURITY
Projects
None yet
Milestone
3.3.5
Development

No branches or pull requests
1 participant
@tablatronix