Bug 571411 - security - LFI on eclipse.org/mylyn
Summary: security - LFI on eclipse.org/mylyn
Status: RESOLVED FIXED
Alias: None
Product: Community
Classification: Eclipse Foundation
Component: Vulnerability Reports (show other bugs)
Version: unspecified   Edit
Hardware: PC Windows 10
: P3 critical (vote)
Target Milestone: ---   Edit
Assignee: Security vulnerabilitied reported against Eclipse projects CLA
QA Contact:
URL:
Whiteboard:
Keywords: security
Depends on:
Blocks: 571416
  Show dependency tree
 
Reported: 2021-02-22 14:55 EST by Joery Droppers CLA
Modified: 2021-03-02 09:05 EST (History)
5 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Joery Droppers CLA 2021-02-22 14:55:39 EST 
We found a possible LFI vulnerability in one of your project websites, making it possible to read any file on the web server. It may be possible to read the app-config.php file by exploiting this vulnerability, but we have not attempted to do so because this file may contain sensitive information.

As an example, a file can be read from the same directory as the app-config.php file:
https://www.eclipse.org/mylyn/new/showVersion.php?version=..%2F..%2Feclipse.org-common%2Fsystem%2Fapp.class.php

The user input is not properly validated at line number 15 in the following file:
https://git.eclipse.org/c/www.eclipse.org/mylyn.git/tree/new/showVersion.php#n15

A possible solution would be to validate the user input:
> $version = $_GET["version"];
> if(!preg_match("/^[\w\-\.]+$/", $version) || substr($version, -5) !== ".html") {
>     exit;
> }

As eclipse.org is open-source, we are not sure if this is intended behavior since we did not try to read any sensitive information, but it is better to be safe than sorry.
Comment 1 Wayne Beaton CLA 2021-02-22 15:11:59 EST 
Webdev Team, can you have a look, please?
Comment 2 Christopher Guindon CLA 2021-02-22 15:52:39 EST 
(In reply to Wayne Beaton from comment #1)
> Webdev Team, can you have a look, please?

Confirmed.

Please keep this vulnerability private until we fix this.
Comment 3 Denis Roy CLA 2021-02-22 16:37:32 EST 
Thanks for the report.  I've also filed bug 571416.
Comment 4 Eclipse Genie CLA 2021-02-22 16:43:24 EST 
New Gerrit change created: https://git.eclipse.org/r/c/www.eclipse.org/mylyn/+/176707
Comment 6 Joery Droppers CLA 2021-02-27 16:32:34 EST 
It appears to be fixed now, thank you for the fast response and solution! 

May we disclose this vulnerability?
Comment 7 Christopher Guindon CLA 2021-03-02 09:04:58 EST 
(In reply to Joery Droppers from comment #6)
> It appears to be fixed now, thank you for the fast response and solution! 
> 
> May we disclose this vulnerability?

This is now a public bug!
Comment 8 Christopher Guindon CLA 2021-03-02 09:05:16 EST 
(In reply to Joery Droppers from comment #6)
> It appears to be fixed now, thank you for the fast response and solution! 
> 
> May we disclose this vulnerability?

Thanks for reporting!