#104 Block_render_url.class::security issue

enhancement
closed-fixed
nobody
index (20)
5
2001-05-22
2001-04-13
tobozo
No

when specifying a path instead of a url in a block
type "url",
it is possible to see the local file on the server
displayed in
the block as text..
ex :

Title : notTrusted
Type : url
Site Location : whatever
Source URL : ./config.php3
Expire Length : 0
Owned by section : **not** the home section
Data : (empty)
Order number : whatever

On assassine.org (apache/php3.0.16) it displays the
content of the config.php3 as text in a block.

It might become an issue if blockAdmin.php3 gives
add/edit/remove permission to some users that are not
supposed to access the filesystem.

Discussion

  • tobozo
    tobozo
    2001-04-15

    Logged In: YES
    user_id=126727

    ...tried this patch, looks like it works fine..
    There is probably some tweaking to do in the ereg stuff for
    the other schemes ( gopher, news, nntp, propsero and *not*
    file )

     
  • tobozo
    tobozo
    2001-04-15

     
  • Ajay Sharma
    Ajay Sharma
    2001-05-22

    Logged In: YES
    user_id=70334

    this has been fixed with 0.61pl1

     
  • Ajay Sharma
    Ajay Sharma
    2001-05-22

    • status: open --> closed-fixed