Uploaded image for project: 'DSpace'
  1. DSpace
  2. DS-3063

JSPUI Edit News feature can be used to view/edit other files readable to Tomcat user

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 4.0, 4.1, 4.2, 4.3, 4.4, 5.0, 5.1, 5.2, 5.3, 5.4, 6.0
    • Fix Version/s: 4.5, 5.5, 6.0
    • Component/s: API, JSPUI
    • Labels:
      None
    • Attachments:
      0
    • Comments:
      2
    • Documentation Status:
      Not Required

      Description

      Discovered/Noted by Andrea Bollini.

      What is the problem? Who is affected?

      Vulnerability - Severity: MEDIUM The JSPUI edit news page can be use to view/edit any file accessible by the Tomcat user on the server. While this page is access restricted to DSpace Site Administrators, it still provides a dangerous level of access to the filesystem. It is especially dangerous if you are running multiple instances of DSpace (or other software) on the same server that is viewable/editable by the Tomcat user. This vulnerability has existed since DSpace 4.0.

      How to replicate:
      1. Visit http://demo.dspace.org/jspui/
      2. Login as the Administrative user (it only works as a full Site Admin)
      3. Visit http://demo.dspace.org/jspui/dspace-admin/news-edit (Administer -> General Settings -> Edit News)
      4. Using Firebug (http://getfirebug.com/) or another client-side editing tool, change one of the <select> box <option> tags to have a value="dspace.cfg".
      5. Now, select that option, and click the Edit button
      6. You'll be sent to an editing page, and the contents of the server's "dspace.cfg" file will be shown.

      (Sidenote: this does not affect the XMLUI, as it's currently not possible to edit the XMLUI news from the Admin UI)

      What is the fix?

        Attachments

          Activity

            People

            • Assignee:
              bollini Andrea Bollini (4Science)
              Reporter:
              tdonohue Tim Donohue
              Reviewer:
              Ivan Masár
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: