|
Hi Michael,
I see, I
didn't think about that. So I downloaded the latest 1.2.5(5) and gave a
look.
I
saw that &GetFile (/get?) is NOT used for editing lists, res files
etc.
Instead,
&ConfigEdit (/edit?) is used, which of course has the same
problem.
So, IMHO,
GetFile should be restricted to the images folder.
And
ConfigEdit, should validate against /\.\./ to
ensure that you only access the assp folder, and it should only allow txt to
ensure that you can only edit text files.
And "file:"
fields should be forced to have .txt extension. Perhaps the extension should be
added no matter what, so it would be "file:filename".
That would
make it really secure and it would only mean 3 changes, in 3 very clear
places.
But of
course, it is just an opinion :)
If you like
the idea, I can make the changes on 1.2.5(5) and pass it to you so you give a
look at it.
Regards!
Javier Albinarrate
----- Original Message -----
|
------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________ Assp-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/assp-user
