[NMS-6580] Security: downloadReport allow download and view any file in filesystem - The OpenNMS Issue Tracker

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Blocker
Resolution: Fixed
Affects Version/s: 1.12.7
Fix Version/s: 1.10.14, 1.12.8, 1.13.3
Component/s: Web UI - General
Security Level: Default (Default Security Scheme)
Labels:
- bug
- security
- web

Description

Walkthrough:

Login to OpenNMS Webui
paste following URL in browser:
http://<IP-OF-OPENNMS>:8980/opennms/report/database/downloadReport.htm?fileName=/etc/group

Or another file in filesystem.

It should be suppressed to access files outside defined paths.

Attachments

Activity

People

Assignee:

Jeff Gehlbach

Reporter:

Martin Laercher

Votes:

0 Vote for this issue

Watchers:

5 Start watching this issue

Dates

Created:

03/Jun/14 9:34 AM

Updated:

27/Jan/17 4:21 PM

Resolved:

03/Jun/14 2:54 PM