ingo
commented
13 years ago Hi Oliver,
Thank you for the note. I've removed the sourceViewer code from the repo, and I've posted on the Google Jaxer group to notify existing users.
Cheers, Ingo
Closed nevbear666 closed 13 years ago
ingo
commented
13 years ago Hi Oliver,
Thank you for the note. I've removed the sourceViewer code from the repo, and I've posted on the Google Jaxer group to notify existing users.
Cheers, Ingo
Dear ladies and gentleman, i have found a security risk in aptana jaxer configuration, namely within the web served sourcecode viewer for the jaxer samples.
basically your sourceviewer implementation allows access to server root, just enter this url in your browser to confirm this problem:
http://yourdomain/aptana/tools/sourceViewer/index.html?filename=../../../../../../../etc/passwd
a fastfix would be adding a .htaccess file under:
/opt/AptanaJaxer/jaxer/aptana/tools/
with the following content i.e. (to limit access to the sourceviewer to your developers ip address):
order deny,allow deny from all allow from xxx.xxx.xxx.xxx
replace the xxx.xxx.xxx.xxx with your developers workstation ip.
Greetings Oliver Leitner