Public webdav url is vulnerable with full path disclosure

[TomasKulhanek]

https://www.owasp.org/index.php/Full_Path_Disclosure the path url contains path within user context e.g. https://portal.west-life.egi/webdav/ABCDefg123/b2drop/myfile.txt which discloses path to other user files. It should be better https://portal.west-life.egi/webdav/ABCDefg/myfile.txt

[TomasKulhanek]

Additionally, private deployment allows to browse content of another user.

[TomasKulhanek]

• [x] use apache mod_rewrite rule to redirect /webdav/$path to /filesystem/user/$path
• [x] use apache mod_rewrite https://httpd.apache.org/docs/2.4/rewrite/rewritemap.html to define custom mapping between random hash and /webdavpublic/hash/file to /filesystem/user/path/file hash = user/path

[TomasKulhanek]

Still present in public portal

[TomasKulhanek]

• [x] switch metadata service to provide fixed path
• [x] redirect, proxy /webdav and /public_webdav to the VF container

[TomasKulhanek]

public as well as private url's are not processed.

https://portal.west-life.eu/public_webdav/XMD8Nf76XM57OGpmAapB880F+IQFpR2YQO5JQag6Rfwes8zTkUgMbEjU3nSoEkAjinfZS+ut7tsB0MLW4b087Bv4K05b46ZMwgx33mUHaaI=/2hhd.pdb return HTTP 404 Not Found.

[francoisruty]

Hello, the 404 is returned by httpd inside the virtualfolder

/var/log/httpd/access_log :

10.8.0.2 - - [14/Sep/2018:14:56:08 +0000] "GET /public_webdav/XMD8Nf76XM57OGpmAapB880F+IQFpR2YQO5JQag6Rfwes8zTkUgMbEjU3nSoEkAjinfZS+ut7tsB0MLW4b087Bv4K05b46ZMwgx33mUHaaI=/2hhd.pdb HTTP/1.1" 404 329 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36"

any idea?

François Ruty +33 (0)6 73 44 76 69 francois.ruty@gmail.com

On Fri, Sep 14, 2018 at 10:46 AM Tomas Kulhanek notifications@github.com wrote:

public as well as private url's are not processed.

https://portal.west-life.eu/public_webdav/XMD8Nf76XM57OGpmAapB880F+IQFpR2YQO5JQag6Rfwes8zTkUgMbEjU3nSoEkAjinfZS+ut7tsB0MLW4b087Bv4K05b46ZMwgx33mUHaaI=/2hhd.pdb return HTTP 404 Not Found.

— You are receiving this because you were assigned. Reply to this email directly, view it on GitHub https://github.com/h2020-westlife-eu/virtualfolder/issues/64#issuecomment-421277188, or mute the thread https://github.com/notifications/unsubscribe-auth/ACsfFJNuQKO_Ti6RIxnpUFcPBz-lzws4ks5ua2zQgaJpZM4TR3aS .

[TomasKulhanek]

Fixed.

[TomasKulhanek]

This issue seems to be again in place. Generated url allows browse root of all virtual folders. Check that apache config RewriteMap davredir prg:/opt/virtualfolder/MetadataService/webdavhash2path is in place and that the webdavhash2path decodes the path correctly. Probably introduce fix that will prevent zero or error returned by webdavhash2path to redirect to root.