maven-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Emmanuel Venisse (JIRA)" <>
Subject [jira] Updated: (CONTINUUM-1412) File Inclusion Vulnerability
Date Mon, 27 Aug 2007 09:51:11 GMT


Emmanuel Venisse updated CONTINUUM-1412:

    Fix Version/s: 1.1-beta-3

> File Inclusion Vulnerability
> ----------------------------
>                 Key: CONTINUUM-1412
>                 URL:
>             Project: Continuum
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 1.1-beta-2
>         Environment: Java version: 1.5.0_10
> OS name: "linux" version: "" arch: "i386"
>            Reporter: Tom Cort
>            Priority: Critical
>             Fix For: 1.1-beta-3
>         Attachments: continuum.JPG
> The value of the userDirectory variable used when calling workingCopy.action is not filtered
properly. This gives anyone who can access workingCopy.action the ability to read any file
on the file system with the permissions that jetty is running as.
> For example, let's say we have continuum installed in /usr/local/continuum. Say we have
a project named build-tools with a projectId of 10. Using the following URL, I can display
the contents of /proc/version (see attached screenshot).
> This is really bad if the user is running continuum as root because it gives the attacker
access to every file on the file system.

This message is automatically generated by JIRA.
If you think it was sent incorrectly contact one of the administrators:
For more information on JIRA, see:


View raw message