Uploaded image for project: 'DSpace'
  1. DSpace
  2. DS-2448

JSPUI Path Traversal Vulnerability

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: 3.3, 4.0, 4.1, 4.2, 5.0
    • Fix Version/s: 3.4 , 4.3, 5.1
    • Component/s: JSPUI
    • Labels:
    • Attachments:
      2
    • Comments:
      7
    • Documentation Status:
      Not Required

      Description

      http://khalil-shreateh.com/khalil.shtml/index.php/it-highlights/latest-vulnerabilities-and-exploits/279-dspace-multiple-vulnerabilities.html reports several vulnerabilities in DSpace. One of them resulted in DS-2445, which tracks down a Directory Traversal in XMLUI. This ticket targets an almost equal problem in JSPUI.

      It is possible to download/read files located in [dspace-install]/webapps/jspui by requesting URLs like http://demo.dspace.org/jspui/handle/10673/1/robots.txt or http://demo.dspace.org/jspui/handle/10673/1/WEB-INF/web.xml. A patch is in preparation.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              pbecker Pascal-Nicolas Becker
              Reporter:
              pbecker Pascal-Nicolas Becker
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: