lovasoa
commented
11 months ago Thank you very much for the report. The check was removed during a refactoring and we missed it because we didn't have a test for it. I'll release a new version today.
Closed olivierauverlot closed 11 months ago
lovasoa
commented
11 months ago Thank you very much for the report. The check was removed during a refactoring and we missed it because we didn't have a test for it. I'll release a new version today.
lovasoa
commented
11 months ago I published an advisory and requested a CVE, where you will be credited.
https://github.com/lovasoa/SQLpage/security/advisories/GHSA-v5wf-jg37-r9m5
With the browser, we can download the files in the sqlpage folder. For example, it's possible to read the
sqlpage.jsonconfiguration file. It's a security problem. The sqlpage folder must be keep hidden.It's possible to set rewrite rules on the proxy side to block the download. But, I think that it will be cool to filter url in sqlpage server.