Uploaded image for project: 'Apache Storm'
  1. Apache Storm
  2. STORM-269

Any readable file exposed via UI log viewer

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 0.9.2-incubating
    • Fix Version/s: 0.9.2-incubating
    • Component/s: storm-core
    • Labels:

      Description

      Note: This is actually version 0.9.0.1 but I couldn't choose that in the dropdown. I suspect that the problem still exists.

      I found that it's possible to access any readable file on the system via the UI worker log viewer. To reproduce, navigate to:

      http://<host:port>/log?file=../../../../../../../../etc/passwd

        Attachments

          Activity

            People

            • Assignee:
              ptgoetz P. Taylor Goetz
              Reporter:
              jaredkuolt Jared Kuolt
            • Votes:
              1 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: