Fritz Borgstedt wrote:
An example on *nix would be the /etc/passwd file. "http://127.0.0.1:55555/get?file=/etc/passwd"Please test version 1.2.5 This looks good in terms of locking file retrieval to ASSP's base directory, but I wonder if more should be done to secure this file retrieval mechanism. For instance, this can be done: http://127.0.0.1:55555/get?file=assp.pl Is there really any need to allow file retrieval for anything beyond \.(css|gif|ico|jpg|png|txt) ? Or perhaps it should be anything except .pl ? I'm not complaining - I'm just thinking of how to make it less susceptible to issues in the future. |
------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user