Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Security: downloadReport allow download and view any file in filesystem

Description

Walkthrough:

  • Login to OpenNMS Webui
    paste following URL in browser:
    http://<IP-OF-OPENNMS>:8980/opennms/report/database/downloadReport.htm?fileName=/etc/group

Or another file in filesystem.

It should be suppressed to access files outside defined paths.

Acceptance / Success Criteria

None

Lucidchart Diagrams

Activity

Show:

Gabriela Lopez January 30, 2023 at 6:39 PM

Information Security assessed as a medium.

CVSS: 8.2 x med likelihood .8 = 6.6 medium

AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N/E:P/RL:O/RC:C/CR:H/IR:H/AR:H/MAV:A/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X

Michael Batz June 11, 2014 at 11:32 AM

If you do not need the feature and do not want to make an update, add the following line to
<OpenNMS-Home>/jetty-webapps/opennms/WEB-INF/applicationContext-spring-security.xml

<!-- Workaround for -->
<intercept-url pattern="/report/database/downloadReport.htm*" access="ROLE_NOACCESS" />

Benjamin Reed June 5, 2014 at 10:16 AM

You know it's a good bug when we release a fix to the previous stable release. Thanks for the catch!

Jeff Gehlbach June 3, 2014 at 2:54 PM

Fixed this exposure by comparing the pathname of the requested file's parent directory against the configured storage-location in reportd-configuration.xml. If no match, we throw an exception.

Fix committed and pushed in 1.12, cherry-picked to 1.10, and merged to master (1.13).

Thanks for the report, Martin.

Fixed

Details

Assignee

Reporter

Labels

Components

Fix versions

Affects versions

Priority

PagerDuty

Created June 3, 2014 at 9:34 AM
Updated January 30, 2023 at 6:39 PM
Resolved June 3, 2014 at 2:54 PM