Closed GoogleCodeExporter closed 9 years ago
Looking forward to your fix :)
Original comment by psii...@gmail.com
on 15 Oct 2014 at 7:59
<Cause of this issue>
There is no pattern to detect the directory list in "TestPathTraversal.java".
<Description of fix>
1. added a RegEx to detect the list of root directory in response body.
2. added a pattern "" (empty string) to get the list of root directory.
I've attached to this post the difference before and after the changes.
Left side is before and right side is after.
Please review it.
Original comment by konno.takeyuki
on 15 Oct 2014 at 9:12
Can you upload a patch file as that will be easier to review?
In Eclipse you can right click a (set of) file(s) and select Team / Create
Patch...
Thanks
Original comment by psii...@gmail.com
on 15 Oct 2014 at 12:38
Sorry. I attached a patch file to this post.
Original comment by konno.takeyuki
on 16 Oct 2014 at 5:15
Attachments:
Dear all, unfortunately I think the trouble is not related to this plugin. The
"TestpathTraversal.java" is indeed focused on path traversal vulneability check
and not directory browsing check.
This means that the plugin target is to fine the possibility to access to
*single* files using inner application behaviors.
The vulnerability you're talking about is a little different (besides OWASP
point of view is to call it PathTraversal too), and currently ZAP manage it
using the "TestDirectoryBrowsing.java" plugin.
According to your description, the trouble relies in the fact that the current
DirectoryBrowsing plugin isn't related to parameters, but only to URL paths, so
that it arises an alert if the URL itself give back a directory listing.
What we've to do is to manage also the possibility that a directory listing
occurs when a parameter is set to a point to the filesystem (does the
vulnerability you checked work in this way?).
Can you try to understand this or give to us some samples that we can use to
enforce the plugin?
Original comment by yhawke
on 17 Oct 2014 at 6:37
OK I see the internals of the bWapp, and indeed here happens that the parameter
take in care a directory and allow the directory listing of that directory.
It's a very "particular" issue because the application is a file browser which
hasn't any control on the root of the filesystem. In real cases it's very
difficult to find something like this exposed to generic users, but we've to
manage it.
My opinon is that this is more an "Information Disclosure" vulnerability, or a
"directory Browsing", but I see the OWASP definition and the bWapp
implementation and I think that you're in right to integrate it inside the
"TestPathTraversal" plugin.
so I suggest a different approach. The plugin currently work on 2 rounds. I
think that the better solution is to adda a round more which should re-use the
patterns and a specific regex for file browsing, then create a specific bingo()
which should define in clear that this is a "directory path traversal".
What do you think about this?
Regarding the regex I'll review it according to bWapp outputs.
Original comment by yhawke
on 17 Oct 2014 at 10:32
ZAP has been migrated to github
This issue will be on github issues with the same ID:
https://github.com/zaproxy/zaproxy/issues
Original comment by psii...@gmail.com
on 5 Jun 2015 at 9:17
Original issue reported on code.google.com by
konno.takeyuki
on 15 Oct 2014 at 3:01