Uploaded image for project: 'OpenNMS'
  1. OpenNMS
  2. NMS-6580

Security: downloadReport allow download and view any file in filesystem

    Details

      Description

      Walkthrough:

      • Login to OpenNMS Webui
        paste following URL in browser:
        http://<IP-OF-OPENNMS>:8980/opennms/report/database/downloadReport.htm?fileName=/etc/group

      Or another file in filesystem.

      It should be suppressed to access files outside defined paths.

        Activity

        Hide
        jeffg Jeff Gehlbach added a comment -

        Fixed this exposure by comparing the pathname of the requested file's parent directory against the configured storage-location in reportd-configuration.xml. If no match, we throw an exception.

        Fix committed and pushed in 1.12, cherry-picked to 1.10, and merged to master (1.13).

        Thanks for the report, Martin.

        Show
        jeffg Jeff Gehlbach added a comment - Fixed this exposure by comparing the pathname of the requested file's parent directory against the configured storage-location in reportd-configuration.xml. If no match, we throw an exception. Fix committed and pushed in 1.12, cherry-picked to 1.10, and merged to master (1.13). Thanks for the report, Martin.
        Hide
        ranger Benjamin Reed added a comment -

        You know it's a good bug when we release a fix to the previous stable release. Thanks for the catch!

        Show
        ranger Benjamin Reed added a comment - You know it's a good bug when we release a fix to the previous stable release. Thanks for the catch!
        Hide
        michael_nt Michael Batz added a comment -

        If you do not need the feature and do not want to make an update, add the following line to
        <OpenNMS-Home>/jetty-webapps/opennms/WEB-INF/applicationContext-spring-security.xml

        <!-- Workaround for NMS-6580 -->
        <intercept-url pattern="/report/database/downloadReport.htm*" access="ROLE_NOACCESS" />

        Show
        michael_nt Michael Batz added a comment - If you do not need the feature and do not want to make an update, add the following line to <OpenNMS-Home>/jetty-webapps/opennms/WEB-INF/applicationContext-spring-security.xml <!-- Workaround for NMS-6580 --> <intercept-url pattern="/report/database/downloadReport.htm*" access="ROLE_NOACCESS" />

          People

          • Assignee:
            jeffg Jeff Gehlbach
            Reporter:
            mlaercher Martin Laercher
          • Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development