#7495: notebook: get rid of all possible "internal server errors" when doing
"Data
--> Upload or attach file"
------------------------+---------------------------------------------------
Reporter: was | Owner: boothby
Type: defect | Status: new
Priority: blocker | Milestone: sage-4.3
Component: notebook | Keywords:
Work_issues: | Author:
Reviewer: | Merged:
------------------------+---------------------------------------------------
Changes (by was):
* priority: critical => blocker
Comment:
Yes, this is fully exploitable and allows one to delete any file on the
server:
E.g., on my laptop I created a file tmp/xyz, then pasted in this url, and
that file was deleted.
{{{
http://localhost:8000/home/admin/13/do_upload_data?urlField=%27%27&nameField=../../../../../../../../tmp/xyz
}}}
With a little more work, one could not only delete any file, but I think
*replace* it by a file of ones choice. That's a pretty massive exploit.
So I'm upping this to a blocker and fixing it now.
--
Ticket URL: <http://trac.sagemath.org/sage_trac/ticket/7495#comment:1>
Sage <http://www.sagemath.org>
Sage: Creating a Viable Open Source Alternative to Magma, Maple, Mathematica,
and MATLAB
--
You received this message because you are subscribed to the Google Groups
"sage-trac" group.
To post to this group, send email to [email protected].
For more options, visit this group at
http://groups.google.com/group/sage-trac?hl=.
