Uploaded image for project: 'OpenNMS'
  1. OpenNMS
  2. NMS-6580

Security: downloadReport allow download and view any file in filesystem

        Details

          Description

          Walkthrough:

          • Login to OpenNMS Webui
            paste following URL in browser:
            http://<IP-OF-OPENNMS>:8980/opennms/report/database/downloadReport.htm?fileName=/etc/group

          Or another file in filesystem.

          It should be suppressed to access files outside defined paths.

            Activity

            Ascending order - Click to sort in descending order
            Hide
            Permalink
            jeffg Jeff Gehlbach added a comment -

            Fixed this exposure by comparing the pathname of the requested file's parent directory against the configured storage-location in reportd-configuration.xml. If no match, we throw an exception.

            Fix committed and pushed in 1.12, cherry-picked to 1.10, and merged to master (1.13).

            Thanks for the report, Martin.

            Show
            jeffg Jeff Gehlbach added a comment - Fixed this exposure by comparing the pathname of the requested file's parent directory against the configured storage-location in reportd-configuration.xml. If no match, we throw an exception. Fix committed and pushed in 1.12, cherry-picked to 1.10, and merged to master (1.13). Thanks for the report, Martin.
            Hide
            Permalink
            ranger Benjamin Reed added a comment -

            You know it's a good bug when we release a fix to the previous stable release. Thanks for the catch!

            Show
            ranger Benjamin Reed added a comment - You know it's a good bug when we release a fix to the previous stable release. Thanks for the catch!
            Hide
            Permalink
            michael_nt Michael Batz added a comment -

            If you do not need the feature and do not want to make an update, add the following line to
            <OpenNMS-Home>/jetty-webapps/opennms/WEB-INF/applicationContext-spring-security.xml

            <!-- Workaround for NMS-6580 -->
            <intercept-url pattern="/report/database/downloadReport.htm*" access="ROLE_NOACCESS" />

            Show
            michael_nt Michael Batz added a comment - If you do not need the feature and do not want to make an update, add the following line to <OpenNMS-Home>/jetty-webapps/opennms/WEB-INF/applicationContext-spring-security.xml <!-- Workaround for NMS-6580 --> <intercept-url pattern="/report/database/downloadReport.htm*" access="ROLE_NOACCESS" />

              People

              • Assignee:
                jeffg Jeff Gehlbach
                Reporter:
                mlaercher Martin Laercher
              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Development