Prevent access to files not listed in the cachegrind files through the fileviewer
GoogleCodeExporter opened this issue · comments
What steps will reproduce the problem?
1. Install webgrind
2. Navigate to
http://localhost/webgrind/index.php?op=fileviewer&file=/etc/passwd&line=-1
3.
What is the expected output? What do you see instead?
I expect Webgrind to prevent access to files not listed in the cachegrind files
through the fileviewer.
Instead, Webgrind displays the contents of the file, which means any file
accessible by the webserver can potentially be displayed. This is a severe
security threat as some of these files may contain sensitive information (like
usernames/passwords).
What version of the product are you using? On what operating system?
This behaviour was noticed using Webgrind 1.0 on Ubuntu 10.04 (Lucid).
Original issue reported on code.google.com by fpoirotte@gmail.com on 26 Sep 2010 at 3:11
Thank you for the security notice. It is indeed a security issue and a fix will
be provided ASAP.
However, webgrind was never intended for installation on production machines.
Original comment by gugakf...@gmail.com on 27 Sep 2010 at 9:00
- Changed state: Accepted
- Added labels: Priority-High, Security
- Removed labels: Priority-Medium
After further consideration, the issue will not be fixed. The fileviewer is
intended for viewing local source files. These may or may not contain sensitive
information.
As such, webgrind should never be used on production systems with a public
interface.
Original comment by gugakf...@gmail.com on 28 Sep 2010 at 12:10
- Changed state: WontFix
Issue 62 has been merged into this issue.
Original comment by gugakf...@gmail.com on 4 Nov 2010 at 11:50