http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6628
--- Comment #7 from Frère Sébastien Marie <[email protected]> 2011-11-28 09:40:47 UTC --- (In reply to comment #6) > This vulnerability would allow anyone reading any .tt file on the server. As > /etc/password is not ending by .tt, this problem is much less critical than > the > 6629 one ! Paul, here I disagree with you :-) Under 3.4.x (sorry, no master deployed for test), I could successfully exploit this vulnerability to echo /etc/passwd. The ".tt" at the end is normally discarded by %00 (the meaning is the same that \0 in C-string, it is stand for end-of-string). Katrin, you could try to add more ../ to url (here, we traversal should go back from "$htdocs/$theme/$lang/modules/help/", and depending where is located $htdocs, there are a couple of parent before the root's filesystem). My test against 3.4.x: /cgi-bin/koha/help.pl?url=koha/../../../../../../../../../../../etc/passwd%00.pl -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA Contact for the bug. You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
