[STORM-269] Any readable file exposed via UI log viewer - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 0.9.2-incubating
Fix Version/s: 0.9.2-incubating
Component/s: storm-core
Labels:
- security

Description

Note: This is actually version 0.9.0.1 but I couldn't choose that in the dropdown. I suspect that the problem still exists.

I found that it's possible to access any readable file on the system via the UI worker log viewer. To reproduce, navigate to:

http://<host:port>/log?file=../../../../../../../../etc/passwd

Attachments

Activity

People

Assignee:: P. Taylor Goetz

Reporter:: Jared Kuolt

Votes:: 1 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 27/Mar/14 23:51

Updated:: 09/Oct/15 00:48

Resolved:: 21/May/14 21:31