The current default file server implementation lets remote users access the full file system the server is running on using a basic directory traversal attack.
Attackers can access the python file, and any other file accessible to the user running the fapws server:
GET /static/..%2fmyserver.py
GET /static/..%2f..%2f..%2f..%2f..%2f/etc/passwd
I realize it is meant as an example, but people will very likely end up using this in production, because users are the way they are :) Really enjoying using FAPWS3, btw!
The current default file server implementation lets remote users access the full file system the server is running on using a basic directory traversal attack.
Assuming a file structure like:
And a static file server view like:
Attackers can access the python file, and any other file accessible to the user running the fapws server:
I realize it is meant as an example, but people will very likely end up using this in production, because users are the way they are :) Really enjoying using FAPWS3, btw!