SS-2014-010: Injection / Filesystem vulnerability in generatesecuretoken
- Severity:
- Low (?)
- Identifier:
- SS-2014-010
- Versions Affected:
- 3.0.10, 3.1.4, master
- Versions Fixed:
- 3.0.11, 3.1.5, master
- Release Date:
- 2014-05-07
A minor issue in the the generatesecuretoken dev task enabled investigation of files on the filesystem. This attack allowed the existence of any file to be reported using the 'path' querystring parameter passing in a relative filesystem path. Additionally, the Content-Type header of the results of this page was set to 'text/html', which means that HTML injection could enable javascript to be injected via the querystring.
This issue has been resolved by removing the unnecessary 'path' querystring parameter, and ensuring the output of this page was correctly given the 'text/plain' Content-Type header.
This attack may only be performed by a privileged user (administrator), meaning it had a very low risk of being exploited.