New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
There is a insecure permission so that we can read any file we want,include config.php #22
Comments
Great, I can use security help.
But, posting all of this to github is pretty dangerous.
You can’t contact me directly with these things and give me a chance to work on them before making it public?
… On Feb 19, 2019, at 5:57 PM, zyfyc ***@***.***> wrote:
When we log in,we can view some css files.But there is a insecure permission so that we can view any file.
poc:
http://local`/ndxzstudio/?a=system&q=assets&edit=..\/../../indexhibit-master/ndxzsite/config/config.php` <http://local`/ndxzstudio/?a=system&q=assets&edit=..%5C/../../indexhibit-master/ndxzsite/config/config.php%60>
<https://user-images.githubusercontent.com/43108927/53050343-144fdc80-34d4-11e9-95c1-f85a9628e706.png>
fix:The parameter we put need Rigorous testing
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub <#22>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAC3AnjJzJyNbMkDJq3eaCTWsiX4Xo3iks5vPHNNgaJpZM4bD88y>.
|
Sorry,but I want to get a CVE,your recognition needed.I will contact you first when I find new issues |
I posted a fix for this a couple days ago - are you using the newest files?
… On Feb 19, 2019, at 5:57 PM, zyfyc ***@***.***> wrote:
When we log in,we can view some css files.But there is a insecure permission so that we can view any file.
poc:
http://local`/ndxzstudio/?a=system&q=assets&edit=..\/../../indexhibit-master/ndxzsite/config/config.php` <http://local`/ndxzstudio/?a=system&q=assets&edit=..%5C/../../indexhibit-master/ndxzsite/config/config.php%60>
<https://user-images.githubusercontent.com/43108927/53050343-144fdc80-34d4-11e9-95c1-f85a9628e706.png>
fix:The parameter we put need Rigorous testing
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub <#22>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAC3BJHuT86w2VI3rwRhh_31E6-36OQ9ks5vPHNOgaJpZM4bD88y>.
|
yes,I had download from github yesterday and reinstall the website to test |
ok,I will submit a new issue telled you yesterday,ok? |
i have fixed this issue.
are you going to upload one thing every day? every night i get another note - i can’t sleep. i’m going on vacation tomorrow.
can’t you just send me a note with everything so i can do it all at once? posting like this to github, and i don’t mind if people claim i don’t know how github works, is creating a map for future hackers. unfortunately, there are people who don’t update their sites for 10 years now…i can’t control this.
you can send me a note directly at support@indexhibit.org <mailto:support@indexhibit.org>
thanks
… On Feb 20, 2019, at 8:19 PM, zyfyc ***@***.***> wrote:
ok,I will submit a new issue telled you yesterday,ok?
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub <#22 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAC3AisCVN-Lwx_N820UDsa-BF141KfRks5vPeYfgaJpZM4bD88y>.
|
Fixed. |
ok,all is gone.Happy vacations.Another issue I had posted to you yesterday,so there is no necessary to be a new issue.Thanks for your tips |
i do really appreciate your help.
i will handle csrf shortly - i’ve been researching how to best resolve it.
and the new installer blocks from viewing things after installation.
thanks very much for the tip!
… On Feb 20, 2019, at 9:14 PM, zyfyc ***@***.***> wrote:
ok,all is gone.Happy vacations.Another issue I had posted to you yesterday,so there is no necessary to be a new issue.Thanks for your tips
—
You are receiving this because you modified the open/close state.
Reply to this email directly, view it on GitHub <#22 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAC3BMBw91xpI2BrC2USybHq1DlNXAeZks5vPfMJgaJpZM4bD88y>.
|
There is a easy way to avoid reinstalling.You deleted install.php after installed or required installer to delete it.Just a suggestion. |
yes, that is suggested on the installation instructions.
… On Feb 20, 2019, at 9:23 PM, zyfyc ***@***.***> wrote:
There is a easy way to avoid reinstalling.You deleted install.php after installed or required installer to delete it.Just a suggestion.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub <#22 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAC3Aq7eeivmB0KNb77hx5jLR1lYc8fwks5vPfUugaJpZM4bD88y>.
|
if you contact me via support@indexhibit.org <mailto:support@indexhibit.org> i will give you a small gift for your help. ;)
… On Feb 20, 2019, at 9:23 PM, zyfyc ***@***.***> wrote:
There is a easy way to avoid reinstalling.You deleted install.php after installed or required installer to delete it.Just a suggestion.
—
You are receiving this because you modified the open/close state.
Reply to this email directly, view it on GitHub <#22 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAC3BLemNhYYHjZgVvj9B-7nXmarpLDVks5vPfUugaJpZM4bD88y>.
|
ok,That's fine and I will try to. |
When we log in,we can view some css files.But there is a insecure permission so that we can view any file.
poc:
http://local`/ndxzstudio/?a=system&q=assets&edit=..\/../../indexhibit-master/ndxzsite/config/config.php`
fix:The parameter we put need Rigorous testing
The text was updated successfully, but these errors were encountered: