[NMS-6580] Security: downloadReport allow download and view any file in filesystem - The OpenNMS Issue Tracker

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Blocker
Resolution: Fixed
Affects Version/s: 1.12.7
Fix Version/s: 1.10.14, 1.12.8, 1.13.3
Component/s: Web UI - General
Security Level: Default (Default Security Scheme)
Labels:
- bug
- security
- web

Description

Walkthrough:

Login to OpenNMS Webui
paste following URL in browser:
http://<IP-OF-OPENNMS>:8980/opennms/report/database/downloadReport.htm?fileName=/etc/group

Or another file in filesystem.

It should be suppressed to access files outside defined paths.

Attachments

Activity

People

Assignee:: Jeff Gehlbach

Reporter:: Martin Laercher

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 03/Jun/14 9:34 AM

Updated:: 27/Jan/17 4:21 PM

Resolved:: 03/Jun/14 2:54 PM

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.