http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6628 --- Comment #7 from Frère Sébastien Marie <semarie-koha@latrappe.fr> 2011-11-28 09:40:47 UTC --- (In reply to comment #6)
This vulnerability would allow anyone reading any .tt file on the server. As /etc/password is not ending by .tt, this problem is much less critical than the 6629 one !
Paul, here I disagree with you :-) Under 3.4.x (sorry, no master deployed for test), I could successfully exploit this vulnerability to echo /etc/passwd. The ".tt" at the end is normally discarded by %00 (the meaning is the same that \0 in C-string, it is stand for end-of-string). Katrin, you could try to add more ../ to url (here, we traversal should go back from "$htdocs/$theme/$lang/modules/help/", and depending where is located $htdocs, there are a couple of parent before the root's filesystem). My test against 3.4.x: /cgi-bin/koha/help.pl?url=koha/../../../../../../../../../../../etc/passwd%00.pl -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA Contact for the bug. You are watching all bug changes.