Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Using this script leads to path traversal vulnerability #93

Closed
yahesh opened this issue Jul 21, 2017 · 8 comments · Fixed by #111
Closed

Using this script leads to path traversal vulnerability #93

yahesh opened this issue Jul 21, 2017 · 8 comments · Fixed by #111

Comments

@yahesh
Copy link

yahesh commented Jul 21, 2017

We installed your script in a test environment and where presented with URLs in the form

https://<ip>:9980/loleaflet/<id>/loleaflet.html?file_path=file:///opt/online/test/data/hello-world.odt

We were curious and tried other paths - with success - like:

https://<ip>:9980/loleaflet/<id>/loleaflet.html?file_path=file:///etc/passwd
https://<ip>:9980/loleaflet/<id>/loleaflet.html?file_path=file:///etc/ssh/sshd_config

The readme document does not point out that using officeonlin-install.sh opens the corresponding server to such a path traversal vulnerability.
@aalaesar
Copy link
Contributor

Hi.
Thank you for reporting this very important issue.
At this point I'm not sure if this vulnerability is implied by the libreoffice online design or
if this this a test feature that should be deactivated either in config or in the build.
This requires more investigations.
Like testing this vulnerability from an external network. And maybe a comparative test with the official collabora docker image.

@Kassiematis
Copy link
Contributor

Kassiematis commented Jul 21, 2017
edited
Loading

This should be removed from the script on line 588.

--o:storage.filesystem[@allow]=true

only this test will not work anymore.

https://:9980/loleaflet//loleaflet.html?file_path=file:///opt/online/test/data/hello-world.odt

@aalaesar
Copy link
Contributor

@Kassiematis
it's config then, nice !
👍

@yahesh
Copy link
Author

yahesh commented Jul 21, 2017

Seems to work for us. :)

@Kassiematis
Copy link
Contributor

Kassiematis commented Jul 21, 2017
edited
Loading

Should we change the script? Testing availability can still be done with this link.
https://admin:password@localhost:9980/loleaflet/dist/admin/admin.html

In /opt/online/loolwsd.xml it can still be activated by changing

<storage desc="Backend storage"> <filesystem allow="false" />

to true

For debug/testing purposes only.

@Kassiematis Kassiematis mentioned this issue Jul 21, 2017
Closed
@aalaesar
Copy link
Contributor

definitively yes but we must find how to remove the prompt showing the test URI or many won't understand why the test instructions are not working.
Https://ip:9980/hosting/discovery is also a good way to test the service availability.

@Kassiematis
Copy link
Contributor

Kassiematis commented Jul 24, 2017
edited
Loading

Prompt can be removed by removing --enable-debug at line 316

lool_configure_opts='--enable-debug'

https://admin:password@localhost:9980/loleaflet/dist/admin/admin.html still works

@Kassiematis
Copy link
Contributor

Pull requests created,

#97
#98

This was referenced Aug 7, 2017
Closed
Merged
@quenenni quenenni mentioned this issue Aug 11, 2017
Closed
@aalaesar aalaesar mentioned this issue Aug 11, 2017
Closed
@aalaesar aalaesar mentioned this issue Jun 15, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

New release: v2.4.0 aalaesar/officeonline-install
3 participants
@yahesh @aalaesar @Kassiematis