woodtime / webgrind

Automatically exported from code.google.com/p/webgrind
Other
0 stars 0 forks source link

Prevent access to files not listed in the cachegrind files through the fileviewer #59

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago
What steps will reproduce the problem?
1. Install webgrind
2. Navigate to 
http://localhost/webgrind/index.php?op=fileviewer&file=/etc/passwd&line=-1
3.

What is the expected output? What do you see instead?
I expect Webgrind to prevent access to files not listed in the cachegrind files 
through the fileviewer.
Instead, Webgrind displays the contents of the file, which means any file 
accessible by the webserver can potentially be displayed. This is a severe 
security threat as some of these files may contain sensitive information (like 
usernames/passwords).

What version of the product are you using? On what operating system?
This behaviour was noticed using Webgrind 1.0 on Ubuntu 10.04 (Lucid).

Original issue reported on code.google.com by fpoirotte@gmail.com on 26 Sep 2010 at 3:11

GoogleCodeExporter commented 8 years ago
Thank you for the security notice. It is indeed a security issue and a fix will 
be provided ASAP. 

However, webgrind was never intended for installation on production machines.

Original comment by gugakf...@gmail.com on 27 Sep 2010 at 9:00

GoogleCodeExporter commented 8 years ago
After further consideration, the issue will not be fixed. The fileviewer is 
intended for viewing local source files. These may or may not contain sensitive 
information. 

As such, webgrind should never be used on production systems with a public 
interface. 

Original comment by gugakf...@gmail.com on 28 Sep 2010 at 12:10

GoogleCodeExporter commented 8 years ago
Issue 62 has been merged into this issue.

Original comment by gugakf...@gmail.com on 4 Nov 2010 at 11:50