Forum OpenACS Development: Vulnerability fixed

Request notifications

Posted by Gustaf Neumann on
Dear all,

Api-browser had a severe vulnerability that could enable an attacker to obtain all files of the machine readable to the nsd process (such as e.g. /etc/passwd, /etc/hosts etc.). The attacker could pass to the query parameter "path" a relative path, which might contain path traversals like ../../.. . The fix is especially bad on installations having api-browser public readable (read permissions to "The Public").

The vulnerability is fixed on, in the CVS repository in the head branch, in the branches oacs-5-6, oacs-5-5, oacs-5-4, oacs-5-3 and in the Debian packages.

Updates are recommended, or remove api-doc from public sites.

2: Re: Vulnerability fixed (response to 1)
Posted by Héctor Romojaro on

Debian packages are still vulnerable.

I've committed the fix to the svn debian repository but it will take some time to be uploaded into the main repository.

Cheers, Héctor