There is a insecure permission so that we can read any file we want,include config.php #22
Comments
|
Great, I can use security help.
But, posting all of this to github is pretty dangerous.
You can’t contact me directly with these things and give me a chance to work on them before making it public?
… On Feb 19, 2019, at 5:57 PM, zyfyc ***@***.***> wrote:
When we log in,we can view some css files.But there is a insecure permission so that we can view any file.
poc:
http://local`/ndxzstudio/?a=system&q=assets&edit=..\/../../indexhibit-master/ndxzsite/config/config.php` <http://local`/ndxzstudio/?a=system&q=assets&edit=..%5C/../../indexhibit-master/ndxzsite/config/config.php%60>
<https://user-images.githubusercontent.com/43108927/53050343-144fdc80-34d4-11e9-95c1-f85a9628e706.png>
fix:The parameter we put need Rigorous testing
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub <#22>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAC3AnjJzJyNbMkDJq3eaCTWsiX4Xo3iks5vPHNNgaJpZM4bD88y>.
|
|
Sorry,but I want to get a CVE,your recognition needed.I will contact you first when I find new issues |
|
I posted a fix for this a couple days ago - are you using the newest files?
… On Feb 19, 2019, at 5:57 PM, zyfyc ***@***.***> wrote:
When we log in,we can view some css files.But there is a insecure permission so that we can view any file.
poc:
http://local`/ndxzstudio/?a=system&q=assets&edit=..\/../../indexhibit-master/ndxzsite/config/config.php` <http://local`/ndxzstudio/?a=system&q=assets&edit=..%5C/../../indexhibit-master/ndxzsite/config/config.php%60>
<https://user-images.githubusercontent.com/43108927/53050343-144fdc80-34d4-11e9-95c1-f85a9628e706.png>
fix:The parameter we put need Rigorous testing
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub <#22>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAC3BJHuT86w2VI3rwRhh_31E6-36OQ9ks5vPHNOgaJpZM4bD88y>.
|
|
yes,I had download from github yesterday and reinstall the website to test |
|
ok,I will submit a new issue telled you yesterday,ok? |
|
i have fixed this issue.
are you going to upload one thing every day? every night i get another note - i can’t sleep. i’m going on vacation tomorrow.
can’t you just send me a note with everything so i can do it all at once? posting like this to github, and i don’t mind if people claim i don’t know how github works, is creating a map for future hackers. unfortunately, there are people who don’t update their sites for 10 years now…i can’t control this.
you can send me a note directly at support@indexhibit.org <mailto:support@indexhibit.org>
thanks
… On Feb 20, 2019, at 8:19 PM, zyfyc ***@***.***> wrote:
ok,I will submit a new issue telled you yesterday,ok?
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub <#22 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAC3AisCVN-Lwx_N820UDsa-BF141KfRks5vPeYfgaJpZM4bD88y>.
|
|
Fixed. |
|
ok,all is gone.Happy vacations.Another issue I had posted to you yesterday,so there is no necessary to be a new issue.Thanks for your tips |
|
i do really appreciate your help.
i will handle csrf shortly - i’ve been researching how to best resolve it.
and the new installer blocks from viewing things after installation.
thanks very much for the tip!
… On Feb 20, 2019, at 9:14 PM, zyfyc ***@***.***> wrote:
ok,all is gone.Happy vacations.Another issue I had posted to you yesterday,so there is no necessary to be a new issue.Thanks for your tips
—
You are receiving this because you modified the open/close state.
Reply to this email directly, view it on GitHub <#22 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAC3BMBw91xpI2BrC2USybHq1DlNXAeZks5vPfMJgaJpZM4bD88y>.
|
|
There is a easy way to avoid reinstalling.You deleted install.php after installed or required installer to delete it.Just a suggestion. |
|
yes, that is suggested on the installation instructions.
… On Feb 20, 2019, at 9:23 PM, zyfyc ***@***.***> wrote:
There is a easy way to avoid reinstalling.You deleted install.php after installed or required installer to delete it.Just a suggestion.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub <#22 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAC3Aq7eeivmB0KNb77hx5jLR1lYc8fwks5vPfUugaJpZM4bD88y>.
|
|
if you contact me via support@indexhibit.org <mailto:support@indexhibit.org> i will give you a small gift for your help. ;)
… On Feb 20, 2019, at 9:23 PM, zyfyc ***@***.***> wrote:
There is a easy way to avoid reinstalling.You deleted install.php after installed or required installer to delete it.Just a suggestion.
—
You are receiving this because you modified the open/close state.
Reply to this email directly, view it on GitHub <#22 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAC3BLemNhYYHjZgVvj9B-7nXmarpLDVks5vPfUugaJpZM4bD88y>.
|
|
ok,That's fine and I will try to. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When we log in,we can view some css files.But there is a insecure permission so that we can view any file.
poc:
http://local`/ndxzstudio/?a=system&q=assets&edit=..\/../../indexhibit-master/ndxzsite/config/config.php`
fix:The parameter we put need Rigorous testing
The text was updated successfully, but these errors were encountered: