phpSlash

Tracker: Bugs

5 Block_render_url.class::security issue - ID: 416036

Last Update: Comment added ( nobody )

Details:

when specifying a path instead of a url in a block
type "url",
it is possible to see the local file on the server
displayed in
the block as text..
ex :

Title : notTrusted
Type : url
Site Location : whatever
Source URL : ./config.php3
Expire Length : 0
Owned by section : **not** the home section
Data : (empty)
Order number : whatever

On assassine.org (apache/php3.0.16) it displays the
content of the config.php3 as text in a block.

It might become an issue if blockAdmin.php3 gives
add/edit/remove permission to some users that are not
supposed to access the filesystem.

Submitted:

tobozo ( tobozo ) - 2001-04-13 22:36

Priority:

Status:

Closed

Resolution:

Fixed

Assigned:

Nobody/Anonymous

Category:

index

Group:

enhancement

Visibility:

Public

Comments ( 2 )

Date: 2001-05-22 23:10 Sender: ajayrockrock Logged In: YES user_id=70334 this has been fixed with 0.61pl1
Date: 2001-04-15 13:48 Sender: tobozo Logged In: YES user_id=126727 ...tried this patch, looks like it works fine.. There is probably some tweaking to do in the ereg stuff for the other schemes ( gopher, news, nntp, propsero and not file )

Log in to comment.

Attached File ( 1 )

Filename	Description	Download
Block_render_url.class		Download

Changes ( 4 )

Field	Old Value	Date	By
status_id	Open	2001-05-22 23:10	ajayrockrock
resolution_id	None	2001-05-22 23:10	ajayrockrock
close_date	-	2001-05-22 23:10	ajayrockrock
File Added	5380: Block_render_url.class	2001-04-15 13:48	tobozo

phpSlash

Tracker: Bugs

Comments ( 2 )

Log in to comment.

Attached File ( 1 )

Changes ( 4 )

About SourceForge

Find Software

Develop Software

Community

Help