-
Notifications
You must be signed in to change notification settings - Fork 53
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Using this script leads to path traversal vulnerability #93
Comments
Hi. |
This should be removed from the script on line 588.
only this test will not work anymore. https://:9980/loleaflet//loleaflet.html?file_path=file:///opt/online/test/data/hello-world.odt |
@Kassiematis |
Seems to work for us. :) |
Should we change the script? Testing availability can still be done with this link. In /opt/online/loolwsd.xml it can still be activated by changing
to true For debug/testing purposes only. |
definitively yes but we must find how to remove the prompt showing the test URI or many won't understand why the test instructions are not working. |
Prompt can be removed by removing --enable-debug at line 316 lool_configure_opts='--enable-debug' https://admin:password@localhost:9980/loleaflet/dist/admin/admin.html still works |
We installed your script in a test environment and where presented with URLs in the form
https://<ip>:9980/loleaflet/<id>/loleaflet.html?file_path=file:///opt/online/test/data/hello-world.odt
We were curious and tried other paths - with success - like:
https://<ip>:9980/loleaflet/<id>/loleaflet.html?file_path=file:///etc/passwd
https://<ip>:9980/loleaflet/<id>/loleaflet.html?file_path=file:///etc/ssh/sshd_config
The readme document does not point out that using officeonlin-install.sh opens the corresponding server to such a path traversal vulnerability.
The text was updated successfully, but these errors were encountered: