Dear all,
Api-browser had a severe vulnerability that could enable an attacker to obtain all files of the machine readable to the nsd process (such as e.g. /etc/passwd, /etc/hosts etc.). The attacker could pass to the query parameter "path" a relative path, which might contain path traversals like ../../.. . The fix is especially bad on installations having api-browser public readable (read permissions to "The Public").
The vulnerability is fixed on openacs.org, in the CVS repository in the head branch, in the branches oacs-5-6, oacs-5-5, oacs-5-4, oacs-5-3 and in the Debian packages.
Updates are recommended, or remove api-doc from public sites.
