Closed
Bug 752798
Opened 12 years ago
Closed 12 years ago
File Disclosure on wiki.mozilla.org
Categories
(Websites :: wiki.mozilla.org, defect)
Websites
wiki.mozilla.org
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: firealwaysworks, Unassigned)
References
()
Details
(Keywords: sec-critical)
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:12.0) Gecko/20100101 Firefox/12.0 Build ID: 20120423122928 Steps to reproduce: https://wiki.mozilla.org/extensions/Bugzilla/pchart/examples/index.php?Action=1&Script=/etc/passwd Here is the source code for the vulnerable file, its the very first line: https://wiki.mozilla.org/extensions/Bugzilla/pchart/examples/index.php?Action=1&Script=index.php Actual results: Read arbitrary files.
Its more accurate to call this File Disclosure than Directory Traversal. PHP's highlight_file() function is dangerous: http://php.net/manual/en/function.highlight-file.php
Summary: Directory Traversal on wiki.mozilla.org → File Disclosure on wiki.mozilla.org
Comment 2•12 years ago
|
||
ayup, this
Group: webtools-security → websites-security
Component: General → wiki.mozilla.org
Product: Web Apps → Websites
QA Contact: general → wiki-mozilla-org
Updated•12 years ago
|
Keywords: sec-critical
QA Contact: wiki-mozilla-org → mcoates
Comment 4•12 years ago
|
||
mrz or corry can you get someone assigned to this.
Updated•12 years ago
|
Comment 5•12 years ago
|
||
It appears that pchart charting software found here: http://www.pchart.net/download We are running pchart 2.1.3 and that is the latest version. One quick fix would be to delete the "examples" directory. I would also do a grep on the file system like find / -xdev -name "*.php" -type f -print0 | xargs -0 grep -H "highlight_file($Script)" To see if there are other hightlight_file function calls on the system outside of the examples. It is very possible that the examples should have been deleted from a production system as it gives you the ability to see the working charting examples and the code behind the system.
Comment 6•12 years ago
|
||
(In reply to Chris More [:cmore] from comment #5) > It appears that pchart charting software found here: > http://www.pchart.net/download > > We are running pchart 2.1.3 and that is the latest version. One quick fix > would be to delete the "examples" directory. > I did a quick grep of the code for files that used $_GET, $_REQUEST, $_POST. The only files that do are located in the examples directory. A shortterm solution appears to be deleting the examples directory as you mention. A search for highlight only yielded files in examples as well.
Comment 7•12 years ago
|
||
CC'ing the relevant developers to remove this code. I'm pretty sure this is deployed out of SVN or git or something. Let us (webops) know when it's done and we'll re-push it.
Comment 8•12 years ago
|
||
Code lives in Git. Brandon - Can you please handle the removal of the examples directory?
Comment 9•12 years ago
|
||
We can do that but it will not quickly resolve the problem. Please have IT disable the mediawiki-bugzilla plugin.
Comment 10•12 years ago
|
||
I have manually deleted the pchart/examples directory, per comment 6. This should still be removed from the git repo, or it will re-appear whenever the code changes and we re-deploy it.
Comment 11•12 years ago
|
||
The examples directory is now gone from the repository on Github. Would it be worthwhile to have pchart vetted by security for any other vulnerabilities?
Comment 12•12 years ago
|
||
Brandon: How prevalent is pchart is our current deployment? I can file a bug for pchart review, but our queue is long at this time.
Comment 13•12 years ago
|
||
Closing bug off as RESOLVED due to directory being removed
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Updated•11 years ago
|
Flags: sec-bounty+
Updated•10 years ago
|
Group: websites-security
You need to log in
before you can comment on or make changes to this bug.
Description
•