Community
Participate
Working Groups
We found a possible LFI vulnerability in one of your project websites, making it possible to read any file on the web server. It may be possible to read the app-config.php file by exploiting this vulnerability, but we have not attempted to do so because this file may contain sensitive information. As an example, a file can be read from the same directory as the app-config.php file: https://www.eclipse.org/mylyn/new/showVersion.php?version=..%2F..%2Feclipse.org-common%2Fsystem%2Fapp.class.php The user input is not properly validated at line number 15 in the following file: https://git.eclipse.org/c/www.eclipse.org/mylyn.git/tree/new/showVersion.php#n15 A possible solution would be to validate the user input: > $version = $_GET["version"]; > if(!preg_match("/^[\w\-\.]+$/", $version) || substr($version, -5) !== ".html") { > exit; > } As eclipse.org is open-source, we are not sure if this is intended behavior since we did not try to read any sensitive information, but it is better to be safe than sorry.
Webdev Team, can you have a look, please?
(In reply to Wayne Beaton from comment #1) > Webdev Team, can you have a look, please? Confirmed. Please keep this vulnerability private until we fix this.
Thanks for the report. I've also filed bug 571416.
New Gerrit change created: https://git.eclipse.org/r/c/www.eclipse.org/mylyn/+/176707
Gerrit change https://git.eclipse.org/r/c/www.eclipse.org/mylyn/+/176707 was merged to [master]. Commit: http://git.eclipse.org/c/www.eclipse.org/mylyn.git/commit/?id=b9e260f498e527ad4864b6fe10076f2c06b81dcf
It appears to be fixed now, thank you for the fast response and solution! May we disclose this vulnerability?
(In reply to Joery Droppers from comment #6) > It appears to be fixed now, thank you for the fast response and solution! > > May we disclose this vulnerability? This is now a public bug!
(In reply to Joery Droppers from comment #6) > It appears to be fixed now, thank you for the fast response and solution! > > May we disclose this vulnerability? Thanks for reporting!